privacyguides
/
privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

Adding a Content Security Policy and Referrer Policy to index.html #277

Merged
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N merged 3 commits from patch-2 into master 2017-07-17 19:42:32 +00:00
Conversation 26 Commits 3 Files Changed 1 +6
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 17:37:13 +00:00 (Migrated from github.com)
Copy Link

Description

Adding a Content Security Policy, which you can read about here, and for implementing it on GitHub pages.

<meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src 'none'; script-src https://privacytoolsio.github.io"; style-src 'unsafe-inline'>

Referrer policy (see here):

<meta http-equiv="Referrer-Policy" content="no-referrer">

HTML Preview

http://htmlpreview.github.io/?https://github.com/C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N/privacytools.io/blob/patch-2/index.html

### Description Adding a Content Security Policy, which you can read about [here](https://scotthelme.co.uk/content-security-policy-an-introduction/), and for implementing it on [GitHub pages](https://qszhuan.github.io/technology/2015/08/12/add_csp_to_github_blog). ``` <meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src 'none'; script-src https://privacytoolsio.github.io"; style-src 'unsafe-inline'> ``` Referrer policy (see [here](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Referrer_Policy)): ``` <meta http-equiv="Referrer-Policy" content="no-referrer"> ``` ### HTML Preview http://htmlpreview.github.io/?https://github.com/C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N/privacytools.io/blob/patch-2/index.html
kewde commented 2017-07-17 19:05:12 +00:00 (Migrated from github.com)
Copy Link

We don't offer dynamic content of any form or shape so XSS isn't a worry.
These tags certainly won't hurt, so I will be adding them, checking this now.

Thank you!

We don't offer dynamic content of any form or shape so XSS isn't a worry. These tags certainly won't hurt, so I will be adding them, checking this now. Thank you!
kewde commented 2017-07-17 19:08:41 +00:00 (Migrated from github.com)
Copy Link

We can potentially force this to load scripts over https by having the default-src set to https:?

<meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src https:; script-src https://privacytoolsio.github.io"; style-src 'unsafe-inline'>

What do you think?

We can potentially force this to load scripts over https by having the default-src set to https:? `<meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src https:; script-src https://privacytoolsio.github.io"; style-src 'unsafe-inline'>` What do you think?
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 19:30:48 +00:00 (Migrated from github.com)
Copy Link

@kewde
Aren't all scripts that are loaded from https://privacytoolsio.github.io only?

@kewde Aren't all scripts that are loaded from https://privacytoolsio.github.io only?
kewde commented 2017-07-17 19:34:14 +00:00 (Migrated from github.com)
Copy Link

@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N
I assume it to behave like that due to the https redirect, but adding it to the CSP rule wouldn't hurt either..

@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N I assume it to behave like that due to the https redirect, but adding it to the CSP rule wouldn't hurt either..
ghost commented 2017-07-17 19:36:21 +00:00 (Migrated from github.com)
Copy Link

Might even improve some security ratings? Not sure whether they take HTML headers into account as well, but yeah, won't hurt.

Might even improve some security ratings? Not sure whether they take HT*ML* headers into account as well, but yeah, won't hurt.
jonah approved these changes 2017-07-17 19:36:28 +00:00
kewde (Migrated from github.com) approved these changes 2017-07-17 19:41:43 +00:00
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 19:49:06 +00:00 (Migrated from github.com)
Copy Link

@kewde
There seems to be an issue with your change, https://privacytoolsio.github.io/privacytools.io/password no longer works and I get:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: onfocusin attribute on DIV element.  privacytools.io
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: 
		$(function() {
			$("[data-toggle='to....  privacytools.io:3068
Content Security Policy: Couldn’t process unknown directive ‘Content-Security-Policy:’ (unknown)
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: onclick attribute on INPUT element.  password
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: onfocusin attribute on DIV element.  password
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: 
    var passwordGenerator = (function()....

in the browser console.

Didn't test but this may solve the problem according to here,

<meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src https:; script-src https://privacytoolsio.github.io http://privacytoolsio.github.io"; style-src 'unsafe-inline'>
@kewde There seems to be an issue with your change, https://privacytoolsio.github.io/privacytools.io/password no longer works and I get: ``` Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: onfocusin attribute on DIV element. privacytools.io Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: $(function() { $("[data-toggle='to.... privacytools.io:3068 Content Security Policy: Couldn’t process unknown directive ‘Content-Security-Policy:’ (unknown) Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: onclick attribute on INPUT element. password Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: onfocusin attribute on DIV element. password Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://privacytoolsio.github.io”). Source: var passwordGenerator = (function().... ``` in the browser console. Didn't test but this may solve the problem according to [here](https://scotthelme.co.uk/content-security-policy-an-introduction/), ``` <meta http-equiv='Content-Security-Policy' content="Content-Security-Policy: default-src https:; script-src https://privacytoolsio.github.io http://privacytoolsio.github.io"; style-src 'unsafe-inline'> ```
ghost commented 2017-07-17 19:54:33 +00:00 (Migrated from github.com)
Copy Link

Also some inline script in index.html is broken.

Also some inline script in index.html is broken.
kewde commented 2017-07-17 20:02:55 +00:00 (Migrated from github.com)
Copy Link

I've reverted this for now, will push the new changes.

I've reverted this for now, will push the new changes.
kewde commented 2017-07-17 20:12:07 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich I removed the inline script blocker
@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N I added the http url too, can you check?

Commit c550bddc97

@Shifterovich I removed the inline script blocker @C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N I added the http url too, can you check? Commit https://github.com/privacytoolsIO/privacytools.io/commit/c550bddc97d1d35434cb5485c34bae29ed5ad028
ghost commented 2017-07-17 20:15:48 +00:00 (Migrated from github.com)
Copy Link

Unrecognized Content-Security-Policy directive 'Content-Security-Policy:'.

privacytoolsio.github.io/:3068 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://privacytoolsio.github.io http://privacytoolsio.github.io". Either the 'unsafe-inline' keyword, a hash ('sha256-YGV9MIL1c0rkSok/aWLbfjEHkctcp8JgNYrCgrweuBo='), or a nonce ('nonce-...') is required to enable inline execution.

A solution: Make it a separate file.

**Unrecognized Content-Security-Policy directive 'Content-Security-Policy:'.** **privacytoolsio.github.io/:3068** `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://privacytoolsio.github.io http://privacytoolsio.github.io". Either the 'unsafe-inline' keyword, a hash ('sha256-YGV9MIL1c0rkSok/aWLbfjEHkctcp8JgNYrCgrweuBo='), or a nonce ('nonce-...') is required to enable inline execution.` A solution: Make it a separate file.
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 20:16:15 +00:00 (Migrated from github.com)
Copy Link

@kewde Please fix the error at the end of the line github.io";> to github.io;">

@kewde Please fix the error at the end of the line `github.io";>` to `github.io;">`
kewde commented 2017-07-17 20:16:37 +00:00 (Migrated from github.com)
Copy Link

@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N just noticed it too 👍

@C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N just noticed it too :+1:
kewde commented 2017-07-17 20:17:34 +00:00 (Migrated from github.com)
Copy Link

Argh, I removed the flag for 'unsafe-inline', it was supposed to stay.

Argh, I removed the flag for 'unsafe-inline', it was supposed to stay.
kewde commented 2017-07-17 20:21:33 +00:00 (Migrated from github.com)
Copy Link

8fb2af3971

Please check index again, and let me know if it's okay now. I'll fix the other pages accordingly!

https://github.com/privacytoolsIO/privacytools.io/commit/8fb2af397122d86304aee4f0124c60c1ecad6d6e Please check index again, and let me know if it's okay now. I'll fix the other pages accordingly!
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 20:24:44 +00:00 (Migrated from github.com)
Copy Link

@kewde Ok just use default-src https:; script-src https://privacytoolsio.github.io http://privacytoolsio.github.io without style-src unsafe-inline

@kewde Ok just use `default-src https:; script-src https://privacytoolsio.github.io http://privacytoolsio.github.io` without style-src unsafe-inline
ghost commented 2017-07-17 20:24:55 +00:00 (Migrated from github.com)
Copy Link

photo_2017-07-17_22-23-11

![photo_2017-07-17_22-23-11](https://user-images.githubusercontent.com/4354706/28288198-b6bff13c-6b3e-11e7-9c48-9497e37a742d.jpg)
ghost commented 2017-07-17 20:25:37 +00:00 (Migrated from github.com)
Copy Link

Starting to reconsider the "won't hurt". :P

Starting to reconsider the "won't hurt". :P
kewde commented 2017-07-17 20:26:41 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich lol, you're not alone hehe.

We need

style-src 'unsafe-inline'

for the inline CSS & JS to work.

@Shifterovich lol, you're not alone hehe. We need >style-src 'unsafe-inline' for the inline CSS & JS to work.
kewde commented 2017-07-17 20:33:59 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich
I've added the 'self' tag, which is required.

style-src 'self' 'unsafe-inline'

I think it should be good now?

@Shifterovich I've added the 'self' tag, which is required. >style-src 'self' 'unsafe-inline' I think it should be good now?
ghost commented 2017-07-17 20:39:36 +00:00 (Migrated from github.com)
Copy Link

Unrecognized Content-Security-Policy directive 'Content-Security-Policy:'.

privacytoolsio.github.io/:3068 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://privacytoolsio.github.io http://privacytoolsio.github.io". Either the 'unsafe-inline' keyword, a hash ('sha256-YGV9MIL1c0rkSok/aWLbfjEHkctcp8JgNYrCgrweuBo='), or a nonce ('nonce-...') is required to enable inline execution.

**Unrecognized Content-Security-Policy directive 'Content-Security-Policy:'.** **privacytoolsio.github.io/:3068** `Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://privacytoolsio.github.io http://privacytoolsio.github.io". Either the 'unsafe-inline' keyword, a hash ('sha256-YGV9MIL1c0rkSok/aWLbfjEHkctcp8JgNYrCgrweuBo='), or a nonce ('nonce-...') is required to enable inline execution.`
kewde commented 2017-07-17 20:43:47 +00:00 (Migrated from github.com)
Copy Link

Hmm, try CTRL + F5, there might be an issue with your cache. The CTRL will force new content on refresh.

Hmm, try CTRL + F5, there might be an issue with your cache. The CTRL will force new content on refresh.
ghost commented 2017-07-17 20:45:18 +00:00 (Migrated from github.com)
Copy Link

Tried even incognito mode, didn't help.

Tried even incognito mode, didn't help.
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 21:03:46 +00:00 (Migrated from github.com)
Copy Link

@Shifterovich @kewde
I didn't get any errors, seems to be working. Tor Browser here.

@Shifterovich @kewde I didn't get any errors, seems to be working. Tor Browser here.
C-O-M-P-A-R-T-M-E-N-T-A-L-I-Z-A-T-I-O-N commented 2017-07-17 21:11:22 +00:00 (Migrated from github.com)
Copy Link

@kewde Don't forget to add it to the other pages.

@kewde Don't forget to add it to the other pages.
kewde commented 2017-07-17 23:00:24 +00:00 (Migrated from github.com)
Copy Link

I'm not getting errors on the tor browser either, but my firefox on the other hand..

I'm not getting errors on the tor browser either, but my firefox on the other hand..
kewde commented 2017-07-17 23:04:29 +00:00 (Migrated from github.com)
Copy Link

I'm currently going to add this to the other pages, the website still works but some content is being blocked, I wonder if we have any external content on our website?

I'm currently going to add this to the other pages, the website still works but some content is being blocked, I wonder if we have any external content on our website?
This repo is archived. You cannot comment on pull requests.
Reviewers
No reviewers
jonah
kewde
Labels
Clear labels   
🔍🤖 Search Engines

   
approved

approved, waiting for a PR

  
dependencies

Pull requests that update a dependency file

  
duplicate

   
feedback wanted

   
high priority

   
I2P

The Invisible Internet Project (I2P)

  
iOS

   
low priority

   
OS

Operating Systems

  
Self-contained networks

   
Social media

   
stale

A label for stalebot if it gets added

  
streaming

Anything related to media streaming.

  
todo

   
Tor

Anything covering the Tor network

  
WIP

active work in progress, do not merge or PR (yet)!

  
wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

  
XMPP

Extensible Messaging and Presence Protocol

  
[m]

Matrix protocol

  
₿ cryptocurrency

   
ℹ️ help wanted

   
↔️ file sharing

   
⚙️ web extensions

Browser Extension related issues

  
enhancement

   
software removal

   
💬 discussion

   
🤖 Android

   
🐛 bug

   
💢 conflicting

   
📝 correction

Correction of content on the website

  
🆘 critical

   
📧 email

   
🔒 file encryption

   
📁 file storage

   
🦊 Firefox

Firefox & forks, about:config etc.

  
💻 hardware

   
🌐 hosting

   
🏠 housekeeping

Anything primarily related to site cleanup.

  
🔐 password managers

   
🧰 productivity tools

   
🔎 research required

   
🌐 Social News Aggregators

   
🆕 software suggestion

   
👥 team chat

   
🔒 VPN

Virtual Private Network

  
🌐 website issue

*Technical* issues with the website.

  
🚫 Windows

   
👁️ browsers

   
🖊️ digital notebooks

   
🗄️ DNS

Domain Name System

  
🗨️ instant messaging (im)

   
🇦🇶 translations

Anything covering a translated version of the site

No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
enhancement
software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#277
No description provided.
Delete Branch "patch-2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?