CSP from pentests #4123

himadrisingh · 2024-02-21T12:34:27Z

No description provided.

ericpgreen2 · 2024-02-21T22:36:53Z

netlify.toml

 [[headers]]
  for = "/*"
  [headers.values]
-    Content-Security-Policy = "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data: blob:; frame-ancestors *"
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src https:; img-src https: data: blob:; frame-ancestors *; object-src 'none'; connect-src https:; require-trusted-types-for 'script'"


From the SvelteKit docs:

Is thr a way to generate nonce for the script-src, style 'unsafe-inline' can work.

Given we're building a static site, we should use hashes not nonces. Leaving the blog post I shared with you here for us to come back to later: https://dev.to/askrodney/sveltekit-content-security-policy-csp-for-xss-protection-589k

netlify.toml

web-admin/package.json

package-lock.json

.github/workflows/rill-ui.yml

Kavinjsir

Looks good to me!
Perhaps in the future we might try adjusting unsafe-inline if necessary.

ericpgreen2

Added a couple questions but looks good!

ericpgreen2 · 2024-02-26T23:55:48Z

netlify.toml

+    Cross-Origin-Embedder-Policy = "credentialless"
+    Cross-Origin-Opener-Policy = "unsafe-none"
+    Cross-Origin-Resource-Policy = "cross-origin"
+    X-Frame-Options = "allow-from *"


Do we need this X-Frame-Options? This ChatGPT convo implies allow-from doesn't support wildcards and the Mozilla docs say the allow-from directive is deprecated.

yeah, but somehow https://securityheaders.com/?q=ui.rilldata.in&followRedirects=on gives it a green :P

ericpgreen2 · 2024-02-27T00:21:02Z

netlify.toml

@@ -2,7 +2,11 @@
 [[headers]]
  for = "/*"
  [headers.values]
-    Content-Security-Policy = "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data: blob:; frame-ancestors *"
+    Content-Security-Policy = "default-src 'self'; script-src 'self' https: 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data: blob:; frame-src data:; frame-ancestors *; object-src 'none'; connect-src https:;"


What's the point of frame-src data:;? What iframe is that meant to accommodate? ChatGPT called it out as being uncommon:

Was getting Refused to frame '' because it violates the following Content Security Policy directive
https://serverfault.com/questions/945834/refused-to-frame-because-it-violates-the-following-content-security-policy-di suggested data: and it worked!

* CSP from pentests

CSP from pentests

bb035e1

himadrisingh self-assigned this Feb 21, 2024

himadrisingh marked this pull request as draft February 21, 2024 12:34

himadrisingh added 2 commits February 21, 2024 18:05

Update rill-ui.yml

8c8a0d2

Update rill-ui.yml

d82e0bf

github-actions bot temporarily deployed to production February 21, 2024 12:38 Inactive

Update netlify.toml

c322668

github-actions bot temporarily deployed to production February 21, 2024 12:42 Inactive

himadrisingh added 2 commits February 21, 2024 18:14

Update netlify.toml

9f59241

Update netlify.toml

e2063bb

github-actions bot temporarily deployed to production February 21, 2024 12:47 Inactive

Update netlify.toml

f94f521

github-actions bot temporarily deployed to production February 21, 2024 12:53 Inactive

nonce

dbc8eb3

github-actions bot temporarily deployed to production February 21, 2024 13:00 Inactive

Update netlify.toml

2a73317

github-actions bot temporarily deployed to production February 21, 2024 13:04 Inactive

Update netlify.toml

60138ba

github-actions bot temporarily deployed to production February 21, 2024 13:09 Inactive

dev dep

5945bd0

github-actions bot temporarily deployed to production February 21, 2024 13:19 Inactive

ericpgreen2 reviewed Feb 21, 2024

View reviewed changes