Closed Bug 1342131 Opened 7 years ago Closed 7 years ago

[PulseGuardian] Define a Content Security Policy (CSP)

Categories

(Webtools :: Pulse, defect)

Product:
Webtools
Component:
Pulse
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emorley, Unassigned)

References

Details

One of the HTTP Observatory results is:
    -25     Content Security Policy (CSP) header not implemented 

Actually setting a header is easy (and will likely use the same solution as bug 1342128) - the hard part is picking a policy that doesn't break anything. This is likely a longer term bug than some of the easier deps of bug 1342113.

More information:
https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
https://csp.withgoogle.com/docs/index.html
The title of this bug is a bit of misnomer, as usually a single content security policy is too strict or too lax.

It's better to think in terms of policies that apply to one or more resources (in the HTTP sense).

1. API endpoints should have a CSP that allows nothing. default-src: 'none'
2. Does the application use flash or java applets? If no, it is safe to specific object-src: 'none'
3. Are images externally sourced? do you need to allow hotlinking to them from the entire internet or just a few places?
if just a few, then you can use image-src: 'self' https://my-own-cdn.mozilla.org
Any objection to using https://github.com/twaldear/flask-csp for this? It looks about the same API as I would have written,
except they decided to require the ugly convention of "'self'", "'none'" and so on...
Flags: needinfo?(mcote)
Flags: needinfo?(mcote) → needinfo?(cdawson)
Dylan--  No objection at all.  Please have at it!  :)
Flags: needinfo?(cdawson)
Assignee: nobody → dylan
Another for you--let me know if these reviews are getting too much & I'll find another hapless victim. :)

https://github.com/mozilla-services/pulseguardian/pull/30
Assignee: dylan → mcote
Status: NEW → ASSIGNED
Flags: needinfo?(emorley)
Looks great! :-)
Flags: needinfo?(emorley)
This was committed and deployed a while ago.

https://github.com/mozilla-services/pulseguardian/commit/b8213f20aa591dc76fb63c8d397e894dac66b26b

The CSP rules will be further tightened up as part of bug 1346293, which removes some problematic JavaScript, and some follow-up work to upgrade JavaScript libraries.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.