Opened 4 years ago

Last modified 3 years ago

#5405 new enhancement

Content Security Policy

Reported by: Matt Molyneaux Owned by:
Priority: minor Milestone:
Component: programming Keywords: small
Cc: Parent Tickets:

Description

CSP (Content Security Policy) is notably missing from MediaGoblin.

This will add an additional layer of security should a user be able to bypass comment sanitisation (or the blogging plugin) and add some hostile JS to their content.

At the very least, we should use this to limit JS to the host static assets are on.

Will be kinda tricky to implement in such a way that it won't cause issues when deploying - especially for novice users.

Subtickets

Change History (3)

comment:1 Changed 3 years ago by Ben Sturmfels

Summary: CSPContent Security Policy
Type: defectenhancement

Hi moggers87,

This sounds like a great suggestion. We could do this either in the Nginx deployment example, or by adding the header to the text/html HTTP responses created by MediaGoblin.

Header would look like this:

Content-Security-Policy: script-src 'self' 'unsafe-inline'

For Nginx, the directive would be:

add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";

Nginx would be the simplest change (just docs), and you can then be confident that it applies to the whole site. Any thoughts?

Cheers,
Ben

comment:2 Changed 3 years ago by Ben Sturmfels

Keywords: small added

comment:3 Changed 3 years ago by Ben Sturmfels

Priority: majorminor
Note: See TracTickets for help on using tickets.