Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop superfluous CSP (+report object-src) #14897

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Drop superfluous CSP (+report object-src) #14897

wants to merge 3 commits into from
+3 −6

Conversation

janbrasna
Copy link
Contributor

@janbrasna janbrasna commented Jul 29, 2024
edited
Loading

One-line summary

Removes hosts already covered by defaults/wildcards appended to every policy.

Significant changes and points to review

(This will be redone anyways for #11943 when every policy gets its own subset of hosts, instead of appending the default wildcards everywhere…)

Also adds object-src: none to report-only for helping out surface any hypothetical use.

Issue / Bugzilla link

#14896 (+#11943)

Testing

curl -I http://localhost:8000/de/

@alexgibson alexgibson added Needs Review Awaiting code review Frontend HTML, CSS, JS... client side stuff P3 Third level priority - Nice to have Backend Server stuff yo labels Jul 29, 2024
@janbrasna janbrasna changed the title Drop superfluous img-src CSP Drop superfluous CSP Jul 29, 2024
@janbrasna janbrasna changed the title Drop superfluous CSP Drop superfluous CSP (+report object-src) Jul 29, 2024
@codecov Codecov
Copy link

codecov bot commented Jul 29, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 1 line in your changes missing coverage. Please review.

Project coverage is 77.33%. Comparing base (d6c3871) to head (1029f7c).
Report is 3 commits behind head on main.

Files Patch % Lines
bedrock/settings/__init__.py 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14897      +/-   ##
==========================================
- Coverage   77.34%   77.33%   -0.01%     
==========================================
  Files         161      161              
  Lines        8348     8349       +1     
==========================================
  Hits         6457     6457              
- Misses       1891     1892       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

janbrasna
janbrasna commented Jul 29, 2024
View reviewed changes
bedrock/settings/__init__.py
@@ -269,6 +265,7 @@
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_report_uri
# CSP directive updates we're testing that we hope to move to the enforced policy.
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE]
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also a little tempted to test-drive restricting default-src to just self? (Instead of all the default wildcards)

Suggested change
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE]
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE]
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["default-src"] = [csp.constants.SELF]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Backend Server stuff yo Frontend HTML, CSS, JS... client side stuff Needs Review Awaiting code review P3 Third level priority - Nice to have
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@janbrasna @alexgibson