-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security headers and policies #3540
Conversation
Works towards #1521
Visit the preview URL for this PR (updated for commit 5c75c04): https://dart-dev--pr3540-misc-add-some-securi-pt7d3ziq.web.app (expires Sun, 12 Sep 2021 22:09:53 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: d851bc446d3c4d7394c5406c6f07255afc7075f3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems reasonable..
firebase.json
Outdated
{ | ||
"source": "**", | ||
"headers": [ | ||
{ "key": "Content-Security-Policy", "value": "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://gstatic.com https://*.gstatic.com https://dartpad.dev https://*.dartpad.dev https://youtube.com https://fonts.googleapis.com https://doubleclick.net https://*.doubleclick.net https://google.com https://*.google.com https://storage.googleapis.com; object-src 'none'; base-uri 'none'; style-src https: 'unsafe-inline'"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need: 'unsafe-inline' 'unsafe-eval'
I'm guess there is an actual reason :D
Perhaps we file a follow-up to fix this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The search page and the Google Tag Manager script on every page relied on unsafe-inline
. Adding the hashes, I was able to remove unsafe-inline
, and as far as I can there are no new problems popping up from that change.
unsafe-eval
seems trickier as it is currently used by Google CSP for the search page as well as on the Dart SDK Archive page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@parlough another option, instead of adding hashes is to embed the Google Tag Manager script from a .js
file.
See:
https://github.com/dart-lang/pub-dev/blob/master/static/js/gtm.js
That's how we did on pub.dev
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks fine.
@kwalrath you'll want to check if this creates issues when rolling it out, and then revert if it does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but let's wait just a bit before merging this.
It's worth shipping even with |
The Flutter docs site scores a [C for security](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev). One factor is the Content Security Policy, an HTTP header that can prevent [Cross Site Scripting (XSS)](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev) attacks. This PR adds the CSP to the Flutter docs site HTTP headers. It would resemble the fix applied to the Dart homepage in [Dart PR #3540](dart-lang/site-www#3540) based on [Dart issue #1521](dart-lang/site-www#1521) This change is based on the pub.dev site. Fixes #6381 Co-authored-by: Brett Morgan <brettmorgan@google.com>
The Flutter docs site scores a [C for security](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev). One factor is the Content Security Policy, an HTTP header that can prevent [Cross Site Scripting (XSS)](https://securityheaders.com/?q=https%3A%2F%2Fdocs.flutter.dev) attacks. This PR adds the CSP to the Flutter docs site HTTP headers. It would resemble the fix applied to the Dart homepage in [Dart PR flutter#3540](dart-lang/site-www#3540) based on [Dart issue flutter#1521](dart-lang/site-www#1521) This change is based on the pub.dev site. Fixes flutter#6381 Co-authored-by: Brett Morgan <brettmorgan@google.com>
Closes #1521