Opened at 2013-12-15T11:43:29Z
Last modified at 2014-07-29T21:57:24Z
#2136 new defect
Use Content-Security-Policy to harden the WUI
| Reported by: | freddyb | Owned by: | daira |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.10.0 |
| Keywords: | csp wui security xss javascript | Cc: | |
| Launchpad Bug: |
Description (last modified by daira)
I have audited the WUI and the current use of JavaScript would make it very easy to adapt content-security-policy as a defense-in-depth mechanism against XSS and other content-injection attacks against the WUI.
AFAIU one would only have to whitelist a few script files for the download-status-timeline. Everything else could easily work with "no scripts allowed".
A more moderate approach could be "only allow same-origin resources", which could be patched into the WUI similarly to what my X-Frame-Options patch does. See ticket #1455.
Change History (6)
comment:1 Changed at 2013-12-15T15:15:10Z by daira
- Component changed from unknown to code-frontend-web
- Description modified (diff)
- Keywords csp wui security xss javascript added
comment:2 Changed at 2014-07-22T16:39:10Z by daira
comment:3 Changed at 2014-07-22T16:56:09Z by freddyb
The prefix has mostly been used by those browsers that update themselves, so I guess the impact is negligible. The notable exception here is probably iOS 6.1, since updates depend on the hardware here (cf. http://caniuse.com/#search=CSP)
comment:4 Changed at 2014-07-22T17:23:04Z by daira
Let's include these headers:
Content-Security-Policy: sandbox X-Content-Security-Policy: sandbox X-Webkit-CSP: sandbox X-Frame-Options: DENY
(The first three are CSP; the last one is for framebusting #1455).
comment:5 Changed at 2014-07-22T17:27:27Z by daira
Here is the code that normally renders a file: src/allmydata/web/filenode.py@5d404db8#L157
http://content-security-policy.com/ says which browser versions support which CSP headers. Basically, if we duplicate the Content-Security-Policy header to X-Content-Security-Policy and X-Webkit-CSP, we get support in earlier/more browsers.