Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rule(s) to check the usage of the Content-Security-Policy HTTP header #25

Open
1 of 2 tasks
alrra opened this issue Mar 9, 2017 · 3 comments
Open
1 of 2 tasks

Add rule(s) to check the usage of the Content-Security-Policy HTTP header #25

alrra opened this issue Mar 9, 2017 · 3 comments
Labels
area:hint hint-category:security

Comments

@alrra
Copy link
Contributor

alrra commented Mar 9, 2017
edited
Loading

  • Check if the header is sent for non-HTML resources (e.g.: on images, fonts, etc.) - done in c55bdfb.
  • Check for older deprecated version of the header are sent (i.e.:X-WebKit-CSP, X-Content-Security-Policy).
  • TODO: Look into what other checks we can add for that this (e.g.: validate the content of the header, upgrade-insecure-requests)

See also:
@alrra alrra changed the title Add rule to check the usage of the Content-Security-Policy HTTP header Add rule(s) to check the usage of the Content-Security-Policy HTTP header Mar 9, 2017
alrra added a commit that referenced this issue Apr 12, 2017
@alrra
Add rule to check for HTML documents only headers
c55bdfb 
Partially fixes: #20, #21, and #25.
Close #91
@molant molant mentioned this issue Sep 6, 2018
Closed
2 tasks
@molant molant closed this as completed Sep 6, 2018
@molant molant reopened this Jan 8, 2019
@Malvoz
Copy link
Member

Malvoz commented Apr 30, 2019
edited
Loading

See also:

https://content-security-policy.com/

I don't think the owner is updating that site for CSP spec changes :(

The following resources are pretty sweet and indicates we could do with a new hint for when CSP is missing object-src 'none':

According to "Adopting a strict policy": https://csp.withgoogle.com/docs/strict-csp.html "setting object-src 'none' Prevents fetching and executing plugin resources embedded using <object>, <embed> or <applet> tags. The most common example is Flash.".

While the csp-evaluator (repo: https://github.com/google/csp-evaluator) reports:

object-src-csp

Meanwhile I have updated object-src at MDN with the following description (if you're looking for inspiration for such a description):
object-src-csp2

@molant molant mentioned this issue May 2, 2019
Open
@Malvoz Malvoz mentioned this issue May 6, 2019
Closed
@molant molant mentioned this issue Jun 19, 2019
Merged
4 tasks
@antross antross mentioned this issue Jun 21, 2019
Open
@Malvoz Malvoz mentioned this issue Dec 3, 2019
Open
@molant
Copy link
Member

molant commented Dec 11, 2019

Thanks, great reply.

From the webappsec issue, I think this is great advice:

If you think that Content-Security-Policy is irrelevant for a particular document, and/or the server hasn't been configured to have a different CSP for a given response, then I would recommend sending Content-Security-Policy: base-uri 'none'; default-src 'none'. If you are using HTTP/2 then, after the first such response, this will be compressed to almost nothing for future responses.

What I'd suggest to you guys is to not raise the error for the case of small CSP headers that are disabling JS. Continue to raise the error for non-HTML CSP headers that are too long or impotent (implies poor server configuration as per your original intent here).

Originally posted by @chrisgraham in #3403 (comment)

@BillGoldstein
Copy link

BillGoldstein commented Dec 16, 2019
edited
Loading

Please review so as to allow CSP, etc., on SVG, as it can contain style, script, foreignObject.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:hint hint-category:security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@molant @alrra @Malvoz @BillGoldstein