-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify CSP header recommendations for non-HTML pages #520
Comments
It's applicable to all workers and I think it has an effect on all resources with respect to cookies actually (although I don't recall the directive for that). Furthermore, given that you can navigate to any resource and turn it into a document that way, it probably makes sense to just use it everywhere. Otherwise someone could navigate an |
There's little documentation on which resources we should respond with a CSP, while we could send it for everything - concerns are "how much “bloat” it will add" (header bloat). Currently webhint.io The "Workers & CSP" relation is documented here: @annevk not narrowing this down to CSP, do you think spec editors are willing specify to which MIME-type any respective HTTP header applies to? |
How is it redundant for Also, that ignores workers, which use a JavaScript MIME type (typically). |
I think that CSP for non-HTML resources is something that just hasn't been decided yet. According to https://pdfium.googlesource.com/pdfium/+/master/README.md, pdfium (Chrome's PDF viewer) may be built with JS support so IMO it would be good for it to honor CSP when rendering PDFs. (I myself have run into cases where the lack of JS support for PDFs has caused real inconvenience.) More generally, I would say that browsers should pass the If you think that If there is no Content-Type then browsers will do sniffing (sometimes). Thus you should generally assume the worst when there is no Content-Type header field. Thus |
Related issue w3c/webappsec-csp#336. |
Per @briansmith's recommendation of
As |
- For all requests other than our HTML entrypoints and the playground worker script, serve a super strict policy, just in case a response that shouldn't normally allow any code execution somehow actually does. Based on [this](w3c/webappsec#520 (comment)) and [this](webhintio/hint#3403 (comment)) comment. - Add some directives that I found through https://csp-evaluator.withgoogle.com/ and [this comment](w3c/webappsec#520 (comment)). - Temporary fix for inline Google Analytics script which was being reported as a violation. See #531 for details. Will fix properly in followup.
Edge's developer tools currently flags CSP headers on most non-HTML files as a performance issue, referencing the same webhint |
On a related note, not supporting CSP headers is marked as a security issue of 'medium severity' by vulnerability scanners. There is a higher level of maturity now for CSP because it's in fetch. The lack of CSP support is very visibly felt.
…On Mon, Aug 19, 2024 at 7:10 AM Guillaume Fortin-Debigaré < ***@***.***> wrote:
Edge's developer tools currently flags CSP headers on most non-HTML files
as a performance issue, referencing the same webhint no-html-only-headers
rule mentioned in #520 (comment)
<#520 (comment)>. I'm
not sure if this is a good recommendation due to the reasons @briansmith
<https://github.com/briansmith> previously listed. It may be worth
revisiting this issue sooner rather than later to prevent the spread of
misinformation one way or the other.
—
Reply to this email directly, view it on GitHub
<#520 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/BJUZPPYW5UTECCFNMK5W2HTZSFEKFAVCNFSM6AAAAABMW4FT2KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJVGUYTCNRZHE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
As some application security vendors started checking for the presence of the CSP header and raise lack of it as an issue, I think it's necessary to clarify when precisely for which resources it's really recommended to return CSP header. As it seems to me, the CSP is only meaningful for
text/html
documents since they are the original place where all the resources regulated by a CSP (CSS, images, script etc) are referred from.The CSP header delivery is discussed in paragraph 3 of the CSP3 draft and the applicability to HTML documents is kind of implied by the alternative delivery via
<meta>
but never stated explicitly.The text was updated successfully, but these errors were encountered: