Opened 7 years ago
Last modified 7 years ago
#5405 new enhancement
Content Security Policy
|Reported by:||Matt Molyneaux||Owned by:|
CSP (Content Security Policy) is notably missing from MediaGoblin.
This will add an additional layer of security should a user be able to bypass comment sanitisation (or the blogging plugin) and add some hostile JS to their content.
At the very least, we should use this to limit JS to the host static assets are on.
Will be kinda tricky to implement in such a way that it won't cause issues when deploying - especially for novice users.
Change History (3)
comment:1 by , 7 years ago
|Summary:||CSP → Content Security Policy|
|Type:||defect → enhancement|
comment:2 by , 7 years ago
comment:3 by , 7 years ago
|Priority:||major → minor|
This sounds like a great suggestion. We could do this either in the Nginx deployment example, or by adding the header to the text/html HTTP responses created by MediaGoblin.
Header would look like this:
For Nginx, the directive would be:
Nginx would be the simplest change (just docs), and you can then be confident that it applies to the whole site. Any thoughts?