Closed Bug 946512 Opened 12 years ago Closed 12 years ago

Implement Content Security Policy for Make Valet

Categories

(Webmaker Graveyard :: Make Valet, defect)

Product:
Webmaker Graveyard
Component:
Make Valet
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jon, Assigned: jon)

References

Details

Attachments

(1 file)

https://github.com/mozilla/make-valet/pull/37
45 bytes, text/x-github-pull-request
gvn
: review+
kate
: review-
mgoodwin
: feedback+
Details | Review
Time to add some CSP to the make-valet.
:gvn, :k88hudson - Please review this patch throughly! This is the first substantial CSP patch, so I want to find as many dragons as possible now. :gvn, feel free to fail this patch on performance. We can always split this up into smaller bugs to minimize the performance impact. :mgoodwin - In this patch, I'm using "style-src 'unsafe-inline';". What are the security implications of CSS injection? I can refactor that inline style block to be a separate file, but it does mean extra http overhead, especially for such a small file.
Attachment #8342732 - Flags: review?(kate)
Attachment #8342732 - Flags: review?(gavin)
Attachment #8342732 - Flags: feedback?(mgoodwin)
Comment on attachment 8342732 [details] [review] https://github.com/mozilla/make-valet/pull/37 I have a few questions on Github. Specifically I'm concerned about media/img/object policy. Aren't there going to be videos coming from YouTube and imgs coming from random domains?
Attachment #8342732 - Flags: review?(gavin) → review-
Comment on attachment 8342732 [details] [review] https://github.com/mozilla/make-valet/pull/37 I didn't change any code, just made a note about img-src * in the PR. It shouldn't be necessary for this patch
Attachment #8342732 - Flags: review- → review?(gavin)
Comment on attachment 8342732 [details] [review] https://github.com/mozilla/make-valet/pull/37 R+, but if possible lets run it in report only mode for a bit.
Attachment #8342732 - Flags: review?(gavin) → review+
Comment on attachment 8342732 [details] [review] https://github.com/mozilla/make-valet/pull/37 This works fine for me, but those error messages are pretty ugly. Since a -lot- of people look at the make details pages, personally, I'd rather avoid the reporting stuff until we set up a reporting url... Seems like the regular CSP header would actually be OK here since there all the content we are showing (i.e. the embed shell) is text-based or static (no user-generated assets). If we don't really care about error messages, this is a plus.
Attachment #8342732 - Flags: review?(kate) → review-
Depends on: 949057
:gvn - while we land the csp report, how about landing this patch? We can add the report-uri directive when the server is up and running.
Flags: needinfo?(gavin)
Edit - to be clear, landing it in enforcement mode
Yeah, I think this should be fine. I'm getting close to having the CSP logger written...
Flags: needinfo?(gavin)
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
(In reply to Jon Buckley [:jbuck] from comment #1) > :mgoodwin - In this patch, I'm using "style-src 'unsafe-inline';". What are > the security implications of CSS injection? I can refactor that inline style > block to be a separate file, but it does mean extra http overhead, > especially for such a small file. Short answer, unless you're also allowing inline script, they're minimal on modern browsers. Longer answer, take a look at the browser security handbook content on this topic: http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets - note that some of the issues are specific to older browsers, and some of the issues (as I mentioned above) are mitigated by CSP (unless you allow inline scripts)
Comment on attachment 8342732 [details] [review] https://github.com/mozilla/make-valet/pull/37 I'm OK with this if you're happy with the risks as per Comment 13
Attachment #8342732 - Flags: feedback?(mgoodwin) → feedback+
We're definitely not allowing inline script, and we're only supporting IE9+, so I think we're good to go here. Thanks Mark!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: