Closed jbmoelker closed 4 years ago
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
:memo: Please visit https://cla.developers.google.com/ to sign.
Once you've signed (or fixed any issues), please reply here with @googlebot I signed it!
) and we'll verify it.
ℹ️ Googlers: Go here for more info.
https://github.com/GoogleChromeLabs/proxx/pull/492#issuecomment-517982145 I signed the CLA. However I can't find if the email address I signed the CLA and the one I created the commit with are the same :-/ Will figure this out when I have more time.
The site is entirely static, and doesn't store any data that is exposed without these headers. Or am I missing something?
Can you summarise the issues this PR solves with PROXX?
Hi Jake, I think you are absolutely right that you can skip most of this for PROXX.
I think the only essential header is X-Frame-Options: SAMEORIGIN
. This prevents someone from running the app in an iframe on for example proxxx.app and then click-jacking users.
The other header that might be good is Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
. Though I think you are already setting HSTS via the Netlify admin panel. The only reason to put it here would be so others using PROXX as a reference would copy the same best practice for this.
I'm happy to change the PR (or create a new one with my signed CLA account). But I also understand if you just want to close this PR.
I think the only essential header is
X-Frame-Options: SAMEORIGIN
. This prevents someone from running the app in an iframe on for example proxxx.app and then click-jacking users.
I understand the risks of click-jacking for something like Amazon/Facebook, where clicks can result in buying something, or changing user's settings, but it doesn't seem like such a big deal here.
I guess better safe than sorry though.
Just an FYI, the game was embedded on the chrome blog - I am not sure we want to limit iframes, but open to being told otherwise.
On Tue, 6 Aug 2019 at 17:33, Jake Archibald notifications@github.com wrote:
I think the only essential header is X-Frame-Options: SAMEORIGIN. This prevents someone from running the app in an iframe on for example proxxx.app and then click-jacking users.
I understand the risks of click-jacking for something like Amazon/Facebook, where clicks can result in buying something, or changing user's settings, but it doesn't seem like such a big deal here.
I guess better safe than sorry though.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoogleChromeLabs/proxx/pull/492?email_source=notifications&email_token=AAALDRQ5ECDTHLBZIXDSZ4TQDGRWRA5CNFSM4IJEWAKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3VXBTQ#issuecomment-518746318, or mute the thread https://github.com/notifications/unsubscribe-auth/AAALDRWWUBBVMW3CA6UG7O3QDGRWRANCNFSM4IJEWAKA .
Ohh well remembered
I guess it would be bad for the embed to fail. And this PR has limited benefits. So I'm closing it. Ping me if I should create a new one :) Ow, and keep making PROXX awesome!
This change configures response headers for basic security.
The following headers are configured (as explained by securityheaders.com:
Before:
source: https://securityheaders.com/?q=https%3A%2F%2Fproxx.app%2F&hide=on&followRedirects=on
After:
source: https://securityheaders.com/?q=https%3A%2F%2Fdeploy-preview-492--gravitongame.netlify.com%2F&hide=on&followRedirects=on
Note security could be tightened further by configuring Content Security Policy and Feature Policy.