Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable content security policy in report-only mode #6642

Merged
merged 1 commit into from
Feb 20, 2020
Merged

Enable content security policy in report-only mode #6642

merged 1 commit into from
Feb 20, 2020

Conversation

davidfischer
Copy link
Contributor

@davidfischer davidfischer commented Feb 10, 2020
edited
Loading

Content security policy is a security measure that sites can opt into by sending a configurable HTTP header. When a site is really locked down, this can prevent most XSS attacks by restricting inline JS completely or restricting the origins where scripts may be loaded from or send data to.

Getting there will be hard and this is just a very first step in that process. This change:

  • Enables CSP in report-only mode. It will not actually block anything. Violations will be noted to the browser console. In prod, violations can be reported to Sentry if CSP_REPORT_URI is configured (the reporting is done by the browser, not some task in our code).
  • If CSP were not in report-only mode, the current settings would prevent
    • framing the site (already prevented with x-frame-options)
    • embedding any applets, objects, or embeds
    • blocking any mixed content (loading styles over HTTP while the main site is HTTPS)
  • This applies only to the core site, not to any documentation sites.

This change can create a feedback loop where we can slowly add policies, fix any issues we see from those policies reported to Sentry from production, and then ensure there's no fallout from those policies. When we are happy with our settings, we can switch from report-only to actually enforce the policy.

Ref #2793

@davidfischer
Enable content security policy in report-only mode
8271501 
- If CSP were not in report-only mode, this would prevent
  * framing the site (already prevented with x-frame-options)
  * embedding any applets, objects, or embeds
  * block any mixed content
- Instead violations of these policies will be reported.
  They can be reported to Sentry if CSP_REPORT_URI is configured
@davidfischer davidfischer requested a review from a team February 10, 2020 17:36
ericholscher
ericholscher approved these changes Feb 12, 2020
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. 👍

humitos
humitos approved these changes Feb 19, 2020
View reviewed changes
Copy link
Member

@humitos humitos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@davidfischer davidfischer merged commit 07f70f0 into master Feb 20, 2020
@davidfischer davidfischer deleted the davidfischer/content-security-policy-reporting branch February 20, 2020 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@humitos humitos humitos approved these changes

@ericholscher ericholscher ericholscher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidfischer @ericholscher @humitos