search

Seravo / linux-tuki.fi

Public repository of Linux-tuki.fi website using the Seravo.com project template
GNU General Public License v3.0
1 stars 0 forks source link

Implement Content Security Policy #1

Open ottok opened 6 years ago

ottok commented 6 years ago

The Nginx headers could include Content Security Policy. We just need to research what is the correct parameters to use.

Learn:

Validate:

simoke commented 6 years ago

There are a few things to consider:

ottok commented 6 years ago

This is a single site, linux-tuki.fi. No need to consider any other sites/containers..

simoke commented 6 years ago

I've now tested with several, more and less strict policies; apparently using any policy causes images and other media content loads to be blocked, and with any browser. I'm going to investigate this more.

simoke commented 6 years ago

Tested with several variations:

add_header Content-Security-Policy "default-src 'self' *.linux-tuki.fi *.wp.seravo.com; media-src *; script-src *";
add_header Content-Security-Policy "default-src 'self' *.linux-tuki.fi *.fi.seravo.com https://google.com https://youtube.com https://facebook.com https://fonts.google.com https://fonts.googleapis.com https://ajax.googleapis.com https://www.google-analytics.com https://cdnjs.cloudflare.com https://code.jquery.com https://connect.facebook.net https://s.imgur.com https://imgur.com https://i.imgur.com https://500px.com https://drscdn.500px.org https://www.reddit.com https://www.flickr.com https://c1.staticflickr.com https://maxcdn.bootstrapcdn.com http://code.ionicframework.com https://cdn.fontawesome.com/;

Also the following lines were applied:

script-src 'self' *.linux-tuki.fi *.fi.seravo.com 'unsafe-inline';
style-src 'self' *.linux-tuki.fi *.fi.seravo.com;
img-src 'self' *.linux-tuki.fi *.fi.seravo.com data:;
connect-src 'self' *.linux-tuki.fi *.fi.seravo.com;
font-src 'self' *.linux-tuki.fi *.fi.seravo.com;
object-src 'none';
media-src 'self' *.linux-tuki.fi *.fi.seravo.com;
form-action 'self' *.linux-tuki.fi *.fi.seravo.com;
frame-ancestors 'self' *.linux-tuki.fi *.fi.seravo.com";

However, the site always refuses to load media content normally.