Comments (8)
Google is offering Google Patch Rewards for integrating CSP in popular frameworks and facilitating adoption (as you already did, so please apply!).
I'll definitely take a look at this, thanks for the link! Is it worth applying now, or should I wait until I have a proper full version done? (shouldn't be long away!)
The most recent research on CSP demonstrated that the whitelist-based approach is intrinsically flawed for XSS mitigation, and that a nonce/hash + 'strict-dynamic' policy, similar to the ones already served by important Google products, is in the quasi-totality of cases the only working solution.
Don't have to convince me of that! 😉
RE making it default behaviour – at the moment my approach towards pushing good settings is having SecureHeaders 'complain' until those settings are configured ('sanely').
With that in mind, adding a check for 'strict-dynamic' in the CSP sanity check would be most inline with SecureHeaders' current behaviour (useful but hopefully non intrusive defaults, and compain until things are ideal).
I.e. so that 'strict-dynamic' is encouraged (if a source list is present) similarly to these being discouraged https://github.com/aidantwoods/SecureHeaders#another-example
the worst thing you can have is a false sense of security
This comment is along the lines of why I wouldn't want to specify a default CSP for SecureHeaders – it would either break things, or be overly broad and useless. Though I can see a good middle ground where a dev could opt-in to some defaults that are 'better, but may need configuring to make your application work'.
Alternatively, I could auto-add 'strict-dynamic' if a nonce is in the source list, but not otherwise. (though automatic behaviour like this needs to be balanced imo – if it's too unintuative, it may discourage use of SecureHeaders all together if devs find it unpredictable. Especially if devs are testing in non CSP3 compliant browsers – they wouldn't even notice it).
If you could also add a link to the CSP Evaluator to your README, to let users evaluate the quality of their policy, it would be awesome.
I'll definately add a link to that – it's a great resource. It may make sense to add the link into warnings triggered by the CSP sanity check too, just so devs see it if they're writing CSPs that raise obvious flags.
from secureheaders.
Okay, so I've added ->strict_mode()
which bundles 'strict-dynamic'
in along with HSTS with long duration and preload criteria.
SecureHeaders will honour user set HSTS preferences if set though (or if they've asked to remove the HSTS header via ->remove_header()
).
I'll probably think of a few other interesting things to stick in 'strict-mode'
, could possibly make it add a few extensions to safe-mode, e.g. wildcards picked up in certain directives during CSP validation are auto-removed.
from secureheaders.
Very nice, thanks!
Do you enforce the presence of at least one nonce or hash together with 'strict-dynamic'? Otherwise it will just break the application...
from secureheaders.
I was thinking more along the lines of spitting out an E_USER_WARNING
if no nonces/hashes are added. Since ->strict_mode()
is opt-in, IMO it's valuable to show devs what settings they should use in headers, and encourage them to change their application around those (rather than hoping they happen to generate a nonce/hash to benefit).
Let me know if that makes sense? Happy to reconsider it if I'm making a silly decision here
from secureheaders.
I think we should not add 'strict-dynamic' if there is no nonce or hash, because it would just break the application. So we should probably enforce the use of nonces or hashes in strict mode, together with 'strict-dynamic'. What do you think?
from secureheaders.
Summary of that change:
If strict mode is enabled, SecureHeaders will take directive to be either default-src
or script-src
(whichever is set). If both are set, script-src
is used. If directive contains a nonce or hash source value then inject 'strict-dynamic'
into the CSP source list for directive, otherwise issue the following:
Warning: Strict Mode is enabled, but couldn't add 'strict-dynamic' into the Content-Security-Policy because no hash or nonce was used.
from secureheaders.
Awesome, exactly what I was thinking, thanks!
from secureheaders.
Great 👍 Let me know if you think of anything else!
from secureheaders.
Related Issues (20)
- 2.0 Planned Changes HOT 19
- 2.0: removeCookies() has no effect HOT 4
- Proposal: Move most documentation to PhpDoc blocks HOT 14
- Discuss finally releasing 2.0 HOT 2
- Increase Test Coverage
- [2.0] Readme is out of date
- `strict-origin-when-cross-origin` doesn't seem to be supported by Chrome HOT 4
- allow method chaining HOT 13
- Report missing CSP directives
- `'strict-dynamic'` isn't injected into CSP Report-Only
- More intuitive config
- Throw exceptions instead of user warnings/errors HOT 6
- Drop PHP 5.x HOT 8
- Auto protected session cookie HOT 5
- Conditional Intent to Deprecate and Remove: Public Key Pinning
- Increase test coverage
- Add hashes and nonces as friendly directive HOT 2
- Option to manually disable warnings HOT 4
- Don't warn for 'unsafe-inline' if hash or nonce present in applicable directive
- Rethink cookie upgrades HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secureheaders.