#2136 new defect

Use Content-Security-Policy to harden the WUI

Reported by: freddyb Owned by: daira
Priority: normal Milestone: undecided
Component: code-frontend-web Version: 1.10.0
Keywords: csp wui security xss javascript Cc:
Launchpad Bug:

Description (last modified by daira)

I have audited the WUI and the current use of JavaScript would make it very easy to adapt content-security-policy as a defense-in-depth mechanism against XSS and other content-injection attacks against the WUI.

AFAIU one would only have to whitelist a few script files for the download-status-timeline. Everything else could easily work with "no scripts allowed".

A more moderate approach could be "only allow same-origin resources", which could be patched into the WUI similarly to what my X-Frame-Options patch does. See ticket #1455.

Change History (6)

comment:1 Changed at 2013-12-15T15:15:10Z by daira

  • Component changed from unknown to code-frontend-web
  • Description modified (diff)
  • Keywords csp wui security xss javascript added

comment:2 Changed at 2014-07-22T16:39:10Z by daira

http://content-security-policy.com/ says which browser versions support which CSP headers. Basically, if we duplicate the Content-Security-Policy header to X-Content-Security-Policy and X-Webkit-CSP, we get support in earlier/more browsers.

comment:3 Changed at 2014-07-22T16:56:09Z by freddyb

The prefix has mostly been used by those browsers that update themselves, so I guess the impact is negligible. The notable exception here is probably iOS 6.1, since updates depend on the hardware here (cf. http://caniuse.com/#search=CSP)

comment:4 Changed at 2014-07-22T17:23:04Z by daira

Let's include these headers:

Content-Security-Policy: sandbox
X-Content-Security-Policy: sandbox
X-Webkit-CSP: sandbox
X-Frame-Options: DENY

(The first three are CSP; the last one is for framebusting #1455).

comment:5 Changed at 2014-07-22T17:27:27Z by daira

Here is the code that normally renders a file: src/allmydata/web/filenode.py@5d404db8#L157

Note: See TracTickets for help on using tickets.