Explore more CSP tightening (report-only) #14897
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,16 +28,13 @@ | |
| ] | ||
| _csp_img_src = [ | ||
| "data:", | ||
| "www.googletagmanager.com", | ||
| "www.google-analytics.com", | ||
| "images.ctfassets.net", | ||
|
There was a problem hiding this comment. Hmm, aren't Contentful assets also moved to bedrock? #14198 So this could also be removed? |
||
| ] | ||
| _csp_script_src = [ | ||
| # TODO change settings so we don't need unsafes even in dev | ||
| csp.constants.UNSAFE_INLINE, | ||
| csp.constants.UNSAFE_EVAL, | ||
| "www.googletagmanager.com", | ||
| "www.google-analytics.com", | ||
|
|
@@ -125,6 +122,8 @@ | |
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_ro_report_uri | ||
|
|
||
| # CSP directive updates we're testing that we hope to move to the enforced policy. | ||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["default-src"] = [csp.constants.SELF] | ||
|
There was a problem hiding this comment. Yeah I like this. We could go even further and set There was a problem hiding this comment. Basically it's a kitchen sink right now, making sure any service or hotlink would work without thinking about it too much… Ideally every policy should enumerate the hosts it really needs, e.g. #11943 (comment) — so that it's restricted to more specific hostnames (like some Which should be the next move in tightening, though. Along with specifically allowing just self/www.m.o where needed, instead of *.m.o that would allow anything (XSS) from e.g. MDN, addons.m.o, discourse.m.o, community.m.o, blog.m.o, support.m.o, bugzilla.m.o, pontoon.m.o etc. with some potential user-submitted resources. So if we consider ditching the ctfassets img src, I can try (RO) instead of specifically removing it to generally restrict the images to just self+GA and skip the defaults completely — to see if that triggers anything… |
||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE] | ||
janbrasna marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. As I understand it, if There was a problem hiding this comment. Exactly. I'm not aware of any embed/object use on bedrock, so if this validates it, good practice is to explicitly deny it wholesale (because the elements using it have somewhat crappy support for sandboxing etc., so it's better to not allow them to load at all). |
||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE] | ||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE) | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
'self'covers this alreadyThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's basically included in
"img-src": list(set(_csp_default_src + _csp_img_src))with_csp_default_srcstill includingcsp.constants.SELF, "*.mozilla.net", "*.mozilla.org", "*.mozilla.com"(I haven't changed that bit, the defaults still include all the hosts and are appended to all the rules. I'm only trimming the default forreport-onlyafter all of this gets set.)That's perhaps another thing to RO-testdrive, restrict the default img src hosts to just self (+GA) for images, to see if all are contained internally?
(Not sure if all img src refs are always locally to bedrock, from /media root of the instance even for CMS content in all the envs, demos, staging/integration hosts etc. — e.g. *stage.gcp.moz.works definitely links images from allizom etc., will have to look how the dev extras are being added, so we don't axe the bit that appends those for non-prod use…)