mlissner
commented
3 years ago A researcher recently suggested that we add X-XSS-Protection headers, but MDN says we should add CSP headers instead and that X-XSS-Protection is outdated.
Open mlissner opened 4 years ago
mlissner
commented
3 years ago A researcher recently suggested that we add X-XSS-Protection headers, but MDN says we should add CSP headers instead and that X-XSS-Protection is outdated.
mlissner
commented
3 years ago I went ahead an added the X-XSS-Protection header. It's no harm, and it can only help. But I don't think it really matters, since we don't usually embed user-generated content on the site. The process to do it was to update the lambda function and to then deploy it to lambda@edge. Note that that is different than just deploying it.
mlissner
commented
3 years ago I took another brief pass at this today and came up with:
Content-Security-Policy = "default-src 'self'; connect-src 'self' https://matomo.courtlistener.com; script-src 'self' https://matomo.courtlistener.com; img-src 'self' https://matomo.courtlistener.com; style-src 'self' https://matomo.courtlistener.com; frame-src: 'self', *.youtube.com, *.courtlistener.com, *.legaltalknetwork.com; object-src 'none'"But it didn't work. In Firefox, I got messages like:
The page’s settings blocked the loading of a resource at inline xyzWhich means nextjs uses inline stuff. There are guides about this, but I think they're going to amount to allowing inline JS. Since we're SSG anyway, I'm not sure much of this much matters, but if somebody wants to take another stab at this, netlify's deploy mode works nicely.
This isn't terribly hard, except that it means revisiting all our pages to make sure we don't use any
<script>tags or inline JavaScript.See more details here: https://infosec.mozilla.org/guidelines/web_security#content-security-policy
When the time comes to add them, we just need to tweak our existing Lambda@Edge distribution (in N.Virginia, which already adds a few other security headers for us).