Toshbrown
commented
7 years ago I will do some investigation but I think with CSP we have to trust the browser, and I'm not sure I do ;-)
Open yousefamar opened 7 years ago
Toshbrown
commented
7 years ago I will do some investigation but I think with CSP we have to trust the browser, and I'm not sure I do ;-)
As discussed on Skype: it seems like at some point (maybe when we weeded out
http-proxy-middleware) CSP headers were no longer being injected into proxied UIs. It could also be that I took them out for debug and never put them back in (if it was in the LiveScript days, then the comments wouldn't have been compiled to JS).So we'll need that again to guarantee that dashboard UIs don't request external resources client-side. IIRC, it should be enough to just set the
default-srcdirective to'self'for now, and then later on we can do fancier things like have the browser report attempted breaches back to the platform through thereport-uridirective. That's kind of cool for papers too, since we would be using something that was designed for detecting bugs to instead enforce accountability.