Skip to content

Embed CSP meta tag and stop using script-src unsafe-inline#12258

Merged
t3chguy merged 5 commits intodevelopfrom
t3chguy/csp
Feb 6, 2020
Merged

Embed CSP meta tag and stop using script-src unsafe-inline#12258
t3chguy merged 5 commits intodevelopfrom
t3chguy/csp

Conversation

@t3chguy
Copy link
Copy Markdown
Member

@t3chguy t3chguy commented Feb 5, 2020

Fixes #3632

@t3chguy t3chguy requested a review from a team February 5, 2020 20:01
@jryans jryans requested review from jryans and removed request for a team February 6, 2020 09:37
jryans
jryans requested changes Feb 6, 2020
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jryans jryans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great overall!

Please file a new issue for the unsafe-eval if we don't have one already (I'd like to use something separate from #3632 at least).

Thanks also for the font-src fix, and splitting child-src to frame-src and worker-src.

Safari doesn't yet support worker-src... Maybe it's best to keep child-src for older browsers, but also have frame-src and worker-src for newer ones?

Comment thread src/vector/index.html Outdated
Comment thread src/vector/index.html Outdated
t3chguy and others added 2 commits February 6, 2020 11:52
@t3chguy
re-add child-src as the common ancestor of worker-src and frame-src f…
7d68c2c 
…or backwards compat and split onto multiple lines for readability

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
@t3chguy @jryans
Update src/vector/index.html
3a5a904 
Co-Authored-By: J. Ryan Stinnett <jryans@gmail.com>
@t3chguy t3chguy requested a review from jryans February 6, 2020 11:54
@stoically
Copy link
Copy Markdown

stoically commented Feb 6, 2020
edited
Loading

Slightly off-topic, just in case someone wonders (like I did) what happens if CSP is defined as HTTP header and meta tag (which probably happens for self-hosted riot instances with CSP via HTTP header with this change):

the browser uses the most-restrictive CSP directives, wherever they’re specified

https://stackoverflow.com/a/51153816

@jryans
Copy link
Copy Markdown
Collaborator

jryans commented Feb 6, 2020

the browser uses the most-restrictive CSP directives, wherever they’re specified

Right, we'll remove the HTTP specified ones once this PR has been deployed to release.

jryans
jryans approved these changes Feb 6, 2020
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jryans jryans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks! 😁

@t3chguy t3chguy merged commit eb62972 into develop Feb 6, 2020
rugk
rugk reviewed Feb 9, 2020
View reviewed changes
Comment thread src/vector/index.html
default-src 'none';
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-eval' https://www.recaptcha.net https://www.gstatic.com;
img-src * blob: data:;
Copy link
Copy Markdown
Contributor

@rugk rugk Feb 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why img-src *?

At the time I've suggested one it did seem to work without that (in my tests). Maybe I did not use/test some third-party image embedding loading?

That said, loading images directly from third-party servers may/should possibly be avoided due to privacy concerns, should not it?

Copy link
Copy Markdown
Member Author

@t3chguy t3chguy Feb 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was copied from the CSP header served at riot.im/app
I did not evaluate img-src, feel free to open an issue for it

Copy link
Copy Markdown
Contributor

@rugk rugk Feb 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done: #12304

@rugk rugk mentioned this pull request Feb 10, 2020
Closed
@t3chguy t3chguy deleted the t3chguy/csp branch May 12, 2022 09:07
t3chguy added a commit that referenced this pull request Oct 17, 2024
@t3chguy
Saner releases clean up (#12258)
c71b8fd 
* Remove allchange dependency

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Remove stale release scripts

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Update pull request template to remove allchange behaviours

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jryans jryans jryans approved these changes

+1 more reviewer

@rugk rugk rugk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enable strict CSP headers to sandbox against any possible XSS

4 participants

@t3chguy @stoically @jryans @rugk