search

hashbang / hashbang.sh

Public facing website on hashbang.sh with embedded user creation script.
http://hashbang.sh
MIT License
141 stars 22 forks source link

Enforce the Content-Security-Policy #97

Closed KellerFuchs closed 8 years ago

KellerFuchs commented 8 years ago

No change compared to the working CSP-Report-Only that is currently deployed in production.

Somebody confirming that there is no violation reported in the browser console in Chrome/Chromium would be nice; I already tested with the Tor Browser (Firefox ESR).

alangshall commented 8 years ago

@KellerFuchs This should resolve the following console errors, correct?

In Chrome 53: The Content Security Policy directive 'sandbox' is ignored when delivered in a report-only policy. /#!:1

The Content Security Policy 'default-src 'none'; style-src https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com; img-src data:; script-src 'self'; sandbox allow-same-origin allow-scripts; frame-ancestors 'none'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.

In Firefox 48: Content Security Policy: Couldn't process unknown directive 'sandbox'(unknown)

Content Security Policy: This site (https://hashbang.sh) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.

KellerFuchs commented 8 years ago

@alangshall Yep, the sandbox directive doesn't work in Report-Only mode.