Add report only CSP header

g-k commented 7 years ago

Adds a report only CSP header for #302

The report URI doesn't exist yet, but we can add that at the load balancer or reverse proxy level.

To lock this down further in future PRs we can:

set report only false and actually enable CSP (assuming we don't get violation reports for awhile)
add directives missing from django-csp like referrer, reflected-xss, upgrade-insecure-requests, plugin-types, strict-dynamic
upgrade jQuery from 1.7 to a version that doesn't use inline styles

The header was generated by proxying through OWASP ZAP with the CSP helper addon to local and prod instances of location leaderboard then manually simplifying the resulting header.

g-k commented 7 years ago

r? @jaredkerim

coveralls commented 7 years ago

Coverage remained the same at 100.0% when pulling e3155ca031588f28647f8a11360742e4d22c7c4a on g-k:add-csp into 3207bd42273a76bdffefc829eddfa321013cb0df on mozilla-services:master.

g-k commented 7 years ago

Actually, this might not work if the injected vars in the inline scripts change.

Probably want an upstream patch to use CSP nonce or smarter hash-sources (refs: https://github.com/mozilla/django-csp/issues/48)

Edit: fixed with a810344 and verified the other snippet doesn't differ between local and prod environments so a hash-source is OK there

coveralls commented 7 years ago

Coverage remained the same at 100.0% when pulling a8103447ce03f76e5c9621a8207655a8ee495e45 on g-k:add-csp into 3207bd42273a76bdffefc829eddfa321013cb0df on mozilla-services:master.

jaredlockhart commented 7 years ago

Looks really good to me! Thanks for this!

mozilla-services / location-leaderboard

Add report only CSP header #303