Add security headers and policies #3540
Conversation
Works towards #1521
google-cla
bot
added
the
cla: yes
|
Visit the preview URL for this PR (updated for commit 5c75c04): https://dart-dev--pr3540-misc-add-some-securi-pt7d3ziq.web.app (expires Sun, 12 Sep 2021 22:09:53 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: d851bc446d3c4d7394c5406c6f07255afc7075f3 |
firebase.json
Outdated
| { | ||
| "source": "**", | ||
| "headers": [ | ||
| { "key": "Content-Security-Policy", "value": "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://gstatic.com https://*.gstatic.com https://dartpad.dev https://*.dartpad.dev https://youtube.com https://fonts.googleapis.com https://doubleclick.net https://*.doubleclick.net https://google.com https://*.google.com https://storage.googleapis.com; object-src 'none'; base-uri 'none'; style-src https: 'unsafe-inline'"}, |
There was a problem hiding this comment.
Why do we need: 'unsafe-inline' 'unsafe-eval'
I'm guess there is an actual reason :D
Perhaps we file a follow-up to fix this.
There was a problem hiding this comment.
The search page and the Google Tag Manager script on every page relied on unsafe-inline. Adding the hashes, I was able to remove unsafe-inline, and as far as I can there are no new problems popping up from that change.
unsafe-eval seems trickier as it is currently used by Google CSP for the search page as well as on the Dart SDK Archive page.
There was a problem hiding this comment.
@parlough another option, instead of adding hashes is to embed the Google Tag Manager script from a .js file.
See:
https://github.com/dart-lang/pub-dev/blob/master/static/js/gtm.js
That's how we did on pub.dev
parlough
changed the title
|
It's worth shipping even with |
The Flutter docs site scores a [C for security](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev). One factor is the Content Security Policy, an HTTP header that can prevent [Cross Site Scripting (XSS)](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev) attacks. This PR adds the CSP to the Flutter docs site HTTP headers. It would resemble the fix applied to the Dart homepage in [Dart PR #3540](dart-lang/site-www#3540) based on [Dart issue #1521](dart-lang/site-www#1521) This change is based on the pub.dev site. Fixes #6381 Co-authored-by: Brett Morgan <brettmorgan@google.com>
The Flutter docs site scores a [C for security](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev). One factor is the Content Security Policy, an HTTP header that can prevent [Cross Site Scripting (XSS)](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev) attacks. This PR adds the CSP to the Flutter docs site HTTP headers. It would resemble the fix applied to the Dart homepage in [Dart PR flutter#3540](dart-lang/site-www#3540) based on [Dart issue flutter#1521](dart-lang/site-www#1521) This change is based on the pub.dev site. Fixes flutter#6381 Co-authored-by: Brett Morgan <brettmorgan@google.com>
Closes #1521