Denperidge
commented
3 months ago Anyone already working on this? I don’t mind giving at least a first draft!
Open molangning opened 8 months ago
Denperidge
commented
3 months ago Anyone already working on this? I don’t mind giving at least a first draft!
molangning
commented
3 months ago Anyone already working on this? I don’t mind giving at least a first draft!
Currently I am not working on it. Feel free to go ahead, I can review it afterwards.
Content security policy is a mechanism in which we can restrict sources of where content is loaded to reduce the attack surface of possible xss and detect it.
I suggest that we only load scripts and other static resources from a specific subdomain (cdn, user-profile, etc) and lock down on other features we don’t need, like base tags. Additionally, we need some kind of endpoint to log csp violations too.
Reference: https://www.lunasec.io/docs/blog/csp/ https://content-security-policy.com/