Skip to content

[Security] Add 2 more Content-Security-Policy options #7579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 27, 2021
Merged

[Security] Add 2 more Content-Security-Policy options #7579

merged 1 commit into from
Sep 27, 2021

Conversation

@driusan
Copy link
Collaborator

@driusan driusan commented Sep 24, 2021

This adds to more CSP directives that are defined in CSP Level 3.
(See: https://w3c.github.io/webappsec-csp/)

frame-ancestors: 'none' prevents LORIS from being embedded in an
iframe. This prevents the class of attacks where a third party embeds
the page in an iframe, but covers it with an invisible div to intercept
clicks or other interactions.

form-action: self prevents forms from submitting data to a target that
is off-site.

Testing Instructions

  1. Embed your LORIS instance in an off-site page such as

    <html>
    <body>
        <iframe src="http://localhost:8000">
    </body>
</html>

  2. Access that page, you should get a security warning instead of an embedded version of your LORIS instance

@driusan driusan changed the base branch from main to 23.0-release September 24, 2021 13:36
@driusan driusan added Release: Add to release notes PR whose changes should be highlighted in the release notes Category: Security PR or issue that aims to improve security labels Sep 24, 2021
@driusan driusan mentioned this pull request Sep 24, 2021
Merged
@driusan driusan added the State: Blocked PR or issue awaiting an external event such as the merge or another PR to proceed label Sep 24, 2021
@driusan
[Security] Add 2 more Content-Security-Policy options
8db501d 
This adds to more CSP directives that are defined in CSP Level 3.
(See: https://w3c.github.io/webappsec-csp/)

`frame-ancestors: 'none'` prevents LORIS from being embedded in an
iframe. This prevents the class of attacks where a third party embeds
the page in an iframe, but covers it with an invisible div to intercept
clicks or other interactions.

`form-action: self` prevents forms from submitting data to a target that
is off-site.
@driusan driusan removed the State: Blocked PR or issue awaiting an external event such as the merge or another PR to proceed label Sep 24, 2021
@driusan driusan merged commit 82b5046 into aces:23.0-release Sep 27, 2021
@ridz1208 ridz1208 added this to the 23.0.7 milestone Sep 30, 2021
@ridz1208 ridz1208 modified the milestones: 23.0.7, 23.0.8 Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ridz1208 ridz1208 ridz1208 approved these changes

Assignees

No one assigned

Labels

Category: Security PR or issue that aims to improve security Release: Add to release notes PR whose changes should be highlighted in the release notes

Projects

None yet

Milestone

23.0.8

Development

Successfully merging this pull request may close these issues.

2 participants

@driusan @ridz1208