New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WriteFreely is not CSP friendly #332
Comments
I suggest:
Note: that goes against other recommendations of reducing the number of HTTP requests for the sake of performance. |
Hey together, What do people from Writefreely think about that Issue? Gordon :) [0]https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/ |
Another idea might be for writefreely to serve its own CSP header, so serving hashes could be possible. |
And by the way, in regard to the performance problem when extracting the inline Javascript to a separate file it can be maybe also a solution to serve Content via HTTP/2 which is multiplexing multiple HTTP Requests into one TCP Connection. |
Thanks for starting the discussion on this, @Crocmagnon. I think the "hash-source" method @gordon-shumway-net mentioned could definitely work for us, without involving a ton of extra work. But I think for us to do this well, we'll need to make it configurable, to allow a range of uses from: doesn't matter to minimally customized to fully customized. I think there are also two sides to this: the author / admin side and the reader side. The admin side should be simpler to protect, but the reader side will need to e.g. allow different external scripts, etc. Since this is more of an involved improvement, I think we need to scope out the work, figure out how we'll make it configurable, and then find developers who would be interested in building this. So I'll close this as a bug report and move it to a discussion. |
Actually, GitHub discussions doesn't seem to work the way I'd like, so we'll move this discussion to our forum, like usual: https://discuss.write.as/t/content-security-policy-csp-support/3026 |
Describe the bug
A strict Content-Security-Policy looks like this:
This prevents execution of inline scripts and styles which WriteFreely uses.
Steps to reproduce (if necessary)
Content-Security-Policy
with the valuedefault-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'
(added thefont-src
)a. Custom CSS doesn't load because it's inline
b. Some scripts don't load because they're inline
Expected behavior
WriteFreely should be CSP-friendly and fully work with a strict CSP enabled. This would reduce attack surface for things like XSS.
Workaround
We currently have to include
unsafe-inline
in the styles and script sources which is considered unsafe by organizations like Mozilla.font-src
is required to load fontsconnect-src
is required to publish drafts and posts at leastApplication configuration
Version or last commit: v0.12.0-2-g037fc40
The text was updated successfully, but these errors were encountered: