🌐 Website Issue | CSP (Security) Improvements #801
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#801
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
We've re-enabled (#303) the Content Security Policy header on the site in the server settings with the following settings:
This is generally a good configuration, we now pass Mozilla Observatory's Test, but there are some improvements that could be made:
Ideally we would remove
'unsafe-inline'
fromstyle-src
to only allow CSS loaded from trusted pages rather than in the HTML itself. We can't do this however because we have some inline style tags that would break.assets/css/style.scss
.We should also strive to have
default-src
set to'none'
. This is probably doable right now, but more testing needs to be done.The hamburger icon on the mobile layout in the navbar is the reason I needed to include
data:
as an image source. Unfortunately that's relatively unsafe.I needed to include
'sha256-hUlNBcv+Trdlc6g1XjFLvylOaIBXEqPNHfXANcRQ0SA=' 'sha256-r2NDpHpWNsnqUZmiRtaHj7dBgoEHP37PPZQvDvILaTQ='
to allow two of our inline Javascript scripts to run, as an alternative to allowing'unsafe-inline'
to run Javascript. This is fine but it means we cannot change these two scripts without modifying the server settings (because their hashes are hard coded in the header):This is probably no big deal, but a better solution would be to:
767be34f55/_includes/scripts.html (L5-L15)
767be34f55/_includes/scripts.html (L24-L36)
Adding
font-src 'self'; manifest-src 'self';
allows us to setdefault-src 'none';
so I've gone ahead and done that. Since we've defined pretty much everything else now there shouldn't be any future drawbacks to having it set to'none'
.is this sill an issue @jonah ?
Bump @jonaharagon
What happened to this? @JonahAragon