Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security headers and policies #3540

Merged
merged 8 commits into from
Sep 8, 2021
Merged

Add security headers and policies #3540

Changes from 6 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
bc06225
Add simple security headers
parlough Sep 1, 2021
915facf
Apply new security headers to all requests
parlough Sep 2, 2021
663cc22
Add basic CS policy
parlough Sep 2, 2021
cf4467e
Add X-XSS-Protection policy for older browsers
parlough Sep 2, 2021
19475fe
Fix trailing comma
parlough Sep 2, 2021
31bec51
Expand content security policy to fix search and archive
parlough Sep 2, 2021
613ffad
Replace unsafe-inline with hashes
parlough Sep 5, 2021
5c75c04
Fix YouTube embed
parlough Sep 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions firebase.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,20 @@
"trailingSlash": false,
"headers": [{
"source": "**/*.@(txt|json)",
"headers": [ { "key": "Access-Control-Allow-Origin", "value": "*" } ]
}],
"headers": [
{ "key": "Access-Control-Allow-Origin", "value": "*" }
]
},
{
"source": "**",
"headers": [
{ "key": "Content-Security-Policy", "value": "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://gstatic.com https://*.gstatic.com https://dartpad.dev https://*.dartpad.dev https://youtube.com https://fonts.googleapis.com https://doubleclick.net https://*.doubleclick.net https://google.com https://*.google.com https://storage.googleapis.com; object-src 'none'; base-uri 'none'; style-src https: 'unsafe-inline'"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need: 'unsafe-inline' 'unsafe-eval'

I'm guess there is an actual reason :D

Perhaps we file a follow-up to fix this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The search page and the Google Tag Manager script on every page relied on unsafe-inline. Adding the hashes, I was able to remove unsafe-inline, and as far as I can there are no new problems popping up from that change.

unsafe-eval seems trickier as it is currently used by Google CSP for the search page as well as on the Dart SDK Archive page.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@parlough another option, instead of adding hashes is to embed the Google Tag Manager script from a .js file.

See:
https://github.com/dart-lang/pub-dev/blob/master/static/js/gtm.js

That's how we did on pub.dev

{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin"},
{ "key": "X-Frame-Options", "value": "SAMEORIGIN"},
{ "key": "X-Content-Type-Options", "value": "nosniff"},
{ "key": "X-XSS-Protection", "value": "1; mode=block"}
]
}],
"redirects": [
{ "source": "/\\)", "destination": "/", "type": 301 },
{ "source": "/+", "destination": "https://plus.sandbox.google.com/+dartlang", "type": 301 },
Expand Down