Open maxime-rainville opened 1 year ago
What would happen if you had defined CSP via this meta tag and e.g. via .htaccess or vhost config? Which takes precedence?
I think it definitely has to be configurable if we do include it by default. I also think it's a good thing to have, though would probably have to be disabled by default if not introduced in a major release. In the meantime adding documentation about it to our security best practices doc would be a good step.
Labelling as enhancement for now until/unless we rule out adding some code implementation.
We received a security report highlighting that a malicious user could potentially perform a Host header cache poisoning to cache a malicious value in the
<base>
tag. After analysis, we concluded that this behaviour would be a variation on a Request Hostname Forgery which we have historically considered to be server misconfiguration.While discussing the issue with the reporter, it was suggested that we should consider adding "base-uri" Content-Security-Policy to further mitigate this attack vector.
Read CSP: base-uri on Mozilla Dev Docs for more details.
The TLDR is:
In theory, we could add that meta tag by default and it should work in the vast majority of cases. Otherwise, we could encourage devs to enable it for themselves as a security best practice.