search

douglasnaphas / madliberation

Mad lib Haggadahs.
Apache License 2.0
1 stars 4 forks source link

Add a Content Security Policy #81

Open douglasnaphas opened 5 years ago

douglasnaphas commented 5 years ago

Reference

  1. https://en.wikipedia.org/wiki/Content_Security_Policy
  2. https://medium.com/@tom.cook/edge-lambda-cloudfront-custom-headers-3d134a2c18a2
  3. https://codeburst.io/content-security-policy-with-amazon-cloudfront-part-1-5505feeaa75
  4. https://medium.com/@htayyar/content-security-policy-with-s3-cloudfront-cf7526889510
douglasnaphas commented 4 years ago

I switched to Content-Security-Policy-Report-Only (on csrfx.com, which I'm using to test out CSPs for passover.lol) because of these errors.

csrfx.com/:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YnlT5kJd8a5B5C/Wj/sJbSxbvWEdbHfK3AiPPMBAsAM='), or a nonce ('nonce-...') is required to enable inline execution.

csrfx.com/:1 Refused to load manifest from 'https://csrfx.com/manifest.json' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.

Screen Shot 2020-01-09 at 10 06 56 PM
douglasnaphas commented 4 years ago

Something like grep -o -E '<script>.*?</script>' build/index.html will be needed to get the contents of the inline script, so that I can hash it, so that I can use the CSP hash method for script sources.

douglasnaphas commented 4 years ago

Getting the base64-encoded SHA256 hash of the content of a script tag:

ggrep -o -P '(?<=<script>).*?(?=</script>)' build/index.html | tr -d '\n' | openssl dgst -binary -sha256 | base64

This:

$ echo -n 'var inline = 1;' | openssl dgst -binary -sha256 | base64
B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=

agrees with the example on this page of a hash-based script src.

Moreover, the error message for the latest contents of index.html in CSRFX gives the Base64-encoded SHA256 it is looking for, and this agrees with the command above. Screen Shot 2020-01-10 at 6 48 06 PM

(index):1 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-NjI3OTUzZTY0MjVkZjFhZTQxZTQyZmQ2OGZmYjA5NmQyYzViYmQ2MTFkNmM3N2NhZGMwODhmM2NjMDQwYjAwMwo='". Either the 'unsafe-inline' keyword, a hash ('sha256-YnlT5kJd8a5B5C/Wj/sJbSxbvWEdbHfK3AiPPMBAsAM='), or a nonce ('nonce-...') is required to enable inline execution.

ggrep -o -P '(?<=<script>).*?(?=</script>)' build/index.html | tr -d '\n' | openssl dgst -binary -sha256 | base64
YnlT5kJd8a5B5C/Wj/sJbSxbvWEdbHfK3AiPPMBAsAM=