Content Security Policy Header

[Azareal]

This header can be useful for running scripts which shouldn't, however there are a few spots where we run inline scripts, so we want to make sure we don't end up killing those along with the baddies.

We probably want to start by surveying every spot with inline scripts and going through there, perhaps we can keep them working with a nonce or something while still getting that anti-XSS goodness. There are plenty of resources on the web which go into it, but Troy Hunt as an interesting stance in: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

[Azareal]

I added a simple CSP header to automatically upgrade outgoing requests for images to HTTPS to avoid mixed content alerts.

I might add a configuration setting to disable that, if there turn out to be a lot of servers which only run HTTP. A proxy is also an option, although someone might abuse it to DDoS a server.

[Azareal]

I'm in the midst of upgrading the content security policy headers.

• They should kill off any script which isn't served from the same domain as the current page.
• They will also kill any inline scripts.

There are a few spots where I use inline scripts however, so they're currently exempt. I am working on converting them away from that though, so that I can set that policy everywhere.