Document Security Headers

[andynd]

Working for the current (3.9.3) are the following ones:

Strict-Transport-Security "max-age=63072000";
X-Frame-Options "sameorigin";
Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: ; connect-src 'self' wss://<instanz url>";

If you want previews from youtube etc, you'd need to extend frame-src to either a whitelist or a wildcard. If you want favicons for links, you'd need to extend img-src to either a whitelist or a wildcard. The wss:// might look like a repetition, but is needed until Apple fixes Safari: https://github.com/w3c/webappsec-csp/issues/7

This would protect (in so far that you could not use the attack to exfiltrate data to another origin, you could still inject scripts since we have to allow unsafe settings with the current release) you from XSS attacks like that one fixed in RocketChat/Rocket.Chat#19817

It would be very nice to improve from that and get ride of all "unsafe-inline", but that would need application support.

[Rodriq]

@andynd Please can you mention which part of the document is affected? Settings on messages are documented here https://docs.rocket.chat/guides/administration/admin-panel/settings/message Please be sure to reopen this issue if needed.

[andynd]

But the issue is about http headers, not message settings. In fact, this issue does not have any relation whatsoever to your linked guid.

[Rodriq]

But the issue is about http headers, not message settings. In fact, this issue does not have any relation whatsoever to your linked guid.

Thank you. Please I'd love to resolve this. can you provide some details that can help look into it?