[tahoe-lafs-trac-stream] [tahoe-lafs] #2136: Use Content-Security-Policy to harden the WUI
tahoe-lafs
trac at tahoe-lafs.org
Sun Dec 15 15:15:10 UTC 2013
#2136: Use Content-Security-Policy to harden the WUI
-----------------------------+---------------------------------------------
Reporter: freddyb | Owner: daira
Type: defect | Status: new
Priority: normal | Milestone: undecided
Component: code- | Version: 1.10.0
frontend-web | Keywords: csp wui security xss javascript
Resolution: |
Launchpad Bug: |
-----------------------------+---------------------------------------------
Changes (by daira):
* keywords: => csp wui security xss javascript
* component: unknown => code-frontend-web
Old description:
> I have audited the WUI and the current use of JavaScript would make it
> very easy to adapt content-security-policy as a defense-in-depth
> mechanism against XSS and other content-injection attacks against the
> WUI.
>
> AFAIU one would only have to whitelist a few script files for the
> download-status-timeline. Everything else could easily work with "no
> scripts allowed".
>
> A more moderate approach could be "only allow same-origin resources",
> which could be patched into the WUI similarly to what my X-Frame-Options
> patch does. See ticket 1455.
New description:
I have audited the WUI and the current use of JavaScript would make it
very easy to adapt content-security-policy as a defense-in-depth mechanism
against XSS and other content-injection attacks against the WUI.
AFAIU one would only have to whitelist a few script files for the
download-status-timeline. Everything else could easily work with "no
scripts allowed".
A more moderate approach could be "only allow same-origin resources",
which could be patched into the WUI similarly to what my X-Frame-Options
patch does. See ticket #1455.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2136#comment:1>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list