Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CSP] enhancements to default policy #156

Closed
Malvoz opened this issue May 17, 2018 · 2 comments
Closed

[CSP] enhancements to default policy #156

Malvoz opened this issue May 17, 2018 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed
Milestone
v4.0.0

Comments

@Malvoz
Copy link
Contributor

Malvoz commented May 17, 2018
edited
Loading

The current default: Header set Content-Security-Policy "script-src 'self'; object-src 'self'" means authors need to explicitly specify all types of directives that apply which may be a bit tedious to set up and maintain, e.g. (not considering crossorigin resources) a sites policy could eventually look something like:

Header set Content-Security-Policy
  "base-uri 'none';
   connect-src 'self';
   font-src 'self'; 
   form-action 'self';
   frame-ancestors 'none';
   img-src 'self'; 
   manifest-src 'self'; 
   media-src 'self';
   object-src 'self'; 
   prefetch-src 'self';
   style-src 'self'; 
   script-src 'self'; 
   worker-src 'self';
   upgrade-secure-requests"

Instead I suggest setting default-src 'self' which acts like a fallback src to all fetch directives.

With this approach, you would still need to include:

This is important because unlike fetch directives, the document- and navigation directives do not fallback to default-src, and allows all origins by default.

New example default policy might look like:

Header set Content-Security-Policy
  "base-uri 'none'; #[1]
   default-src 'self'; 
   form-action 'self'; 
   frame-ancestors 'none';
   upgrade-insecure-requests" #[2]

[1] Note that setting base-uri to 'self' while not intending to use the <base> element could break site functionality if an attacker manages to inject a <base href="https://my-site.com">. Because the majority of sites do not use the base element, the value 'none' may be a better default.

[2] Additionally, the upgrade-insecure-requests directive is recommended for secure context configurations to prevent mixed content.

Finally, I think having an example of adding an external resource would be useful, such as allowing fonts from another origin.
font-src is a fetch directive and falls back to default-src, however we still need to specify 'self' if we wish to add an external url such as google fonts:

font-src 'self' https://fonts.googleapis.com;
@Malvoz
Copy link
Contributor Author

Malvoz commented Jun 21, 2018

Updated for clarifications!

@LeoColomb LeoColomb added the enhancement New feature or request label Aug 12, 2018
@LeoColomb LeoColomb added this to the v4.0.0 milestone Nov 23, 2018
@XhmikosR
Copy link
Member

@Malvoz Can you make a PR?

@LeoColomb LeoColomb mentioned this issue Mar 13, 2019
Closed
@LeoColomb LeoColomb added the help wanted Extra attention is needed label Mar 13, 2019
Malvoz added a commit to Malvoz/server-configs-apache that referenced this issue Mar 18, 2019
@Malvoz
More informational CSP example and desc.
fd296ad 
Resolves  h5bp#156
@Malvoz Malvoz mentioned this issue Mar 18, 2019
Merged
LeoColomb pushed a commit to Malvoz/server-configs-apache that referenced this issue Mar 23, 2019
@Malvoz @LeoColomb
More informational CSP example and desc.
6bcf5af 
Resolves  h5bp#156
LeoColomb pushed a commit to Malvoz/server-configs-apache that referenced this issue Mar 23, 2019
@Malvoz @LeoColomb
More informational CSP example and desc.
cf909cf 
Resolves  h5bp#156
LeoColomb added a commit that referenced this issue Mar 26, 2019
@Malvoz @LeoColomb
Enhancements to CSP policy (#181)
f48934b 
Fix #156

Co-authored-by: Léo Colombaro <git@colombaro.fr>
Co-authored-by:  <xhmikosr@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
v4.0.0
Development

No branches or pull requests
3 participants
@XhmikosR @LeoColomb @Malvoz