Adding a Content Security Policy and Referrer Policy to index.html #277
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#277
Loading…
Reference in New Issue
No description provided.
Delete Branch "patch-2"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Adding a Content Security Policy, which you can read about here, and for implementing it on GitHub pages.
Referrer policy (see here):
HTML Preview
http://htmlpreview.github.io/?https://github.com/C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N/privacytools.io/blob/patch-2/index.html
We don't offer dynamic content of any form or shape so XSS isn't a worry.
These tags certainly won't hurt, so I will be adding them, checking this now.
Thank you!
We can potentially force this to load scripts over https by having the default-src set to https:?
<meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src https:; script-src https://privacytoolsio.github.io"; style-src 'unsafe-inline'>
What do you think?
@kewde
Aren't all scripts that are loaded from https://privacytoolsio.github.io only?
@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N
I assume it to behave like that due to the https redirect, but adding it to the CSP rule wouldn't hurt either..
Might even improve some security ratings? Not sure whether they take HTML headers into account as well, but yeah, won't hurt.
@kewde
There seems to be an issue with your change, https://privacytoolsio.github.io/privacytools.io/password no longer works and I get:
in the browser console.
Didn't test but this may solve the problem according to here,
Also some inline script in index.html is broken.
I've reverted this for now, will push the new changes.
@Shifterovich I removed the inline script blocker
@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N I added the http url too, can you check?
Commit
c550bddc97
Unrecognized Content-Security-Policy directive 'Content-Security-Policy:'.
privacytoolsio.github.io/:3068
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://privacytoolsio.github.io http://privacytoolsio.github.io". Either the 'unsafe-inline' keyword, a hash ('sha256-YGV9MIL1c0rkSok/aWLbfjEHkctcp8JgNYrCgrweuBo='), or a nonce ('nonce-...') is required to enable inline execution.
A solution: Make it a separate file.
@kewde Please fix the error at the end of the line
github.io";>
togithub.io;">
@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N just noticed it too 👍
Argh, I removed the flag for 'unsafe-inline', it was supposed to stay.
8fb2af3971
Please check index again, and let me know if it's okay now. I'll fix the other pages accordingly!
@kewde Ok just use
default-src https:; script-src https://privacytoolsio.github.io http://privacytoolsio.github.io
without style-src unsafe-inlineStarting to reconsider the "won't hurt". :P
@Shifterovich lol, you're not alone hehe.
We need
for the inline CSS & JS to work.
@Shifterovich
I've added the 'self' tag, which is required.
I think it should be good now?
Unrecognized Content-Security-Policy directive 'Content-Security-Policy:'.
privacytoolsio.github.io/:3068
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://privacytoolsio.github.io http://privacytoolsio.github.io". Either the 'unsafe-inline' keyword, a hash ('sha256-YGV9MIL1c0rkSok/aWLbfjEHkctcp8JgNYrCgrweuBo='), or a nonce ('nonce-...') is required to enable inline execution.
Hmm, try CTRL + F5, there might be an issue with your cache. The CTRL will force new content on refresh.
Tried even incognito mode, didn't help.
@Shifterovich @kewde
I didn't get any errors, seems to be working. Tor Browser here.
@kewde Don't forget to add it to the other pages.
I'm not getting errors on the tor browser either, but my firefox on the other hand..
I'm currently going to add this to the other pages, the website still works but some content is being blocked, I wonder if we have any external content on our website?