Skip to content

Content-Security-Policy #24

New issue
New issue
Open
Open
Content-Security-Policy#24
Assignees
shesek
Labels
security
Milestone
1.0-stable
@shesek

Description

@shesek
shesek
opened on Jan 24, 2014

Should use the following header:

Content-Security-Policy:
  default-src https://www.bitrated.com/;
  frame-src 'none';
  object-src 'none';
  connect-src https://www.bitrated.com/ https://blockchain.info/ https://coinb.in/;
  report-uri /csp-violation/

This is pretty much as strict as it can get. This instructs the browser to:

  • Block resources that don't originate from bitrated.com over SSL
  • Block XmlHttpRequests except for blockchain.info and coinb.in APIs
  • Block inline scripts
  • Block eval (not that it does much against XSS, but why not)
  • Block iframes and objects completely (those aren't currently used)
  • Send violation reports to an API endpoint.

Todo:

  • Move inline script that tests browser support to a separate file
  • Check for other inline script usages (there shouldn't be any)
  • Add header on dev environment
  • Ensure nothing breaks (mostly by disallowing eval - not used in Bitrated, but might be used in one of the libraries)
  • API for violation reports, forward to email
  • Update security page
  • Push live

Metadata

Metadata

Assignees

Labels

security

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions