Define a `base-uri` Content Security Policy meta tag

[maxime-rainville]

We received a security report highlighting that a malicious user could potentially perform a Host header cache poisoning to cache a malicious value in the <base> tag. After analysis, we concluded that this behaviour would be a variation on a Request Hostname Forgery which we have historically considered to be server misconfiguration.

While discussing the issue with the reporter, it was suggested that we should consider adding "base-uri" Content-Security-Policy to further mitigate this attack vector.

Read CSP: base-uri on Mozilla Dev Docs for more details.

The TLDR is:

<meta http-equiv="Content-Security-Policy" content="base-uri 'self'" />
<-- 
   Because of the above meta tag, browsers will not want to honour the 
   base tag if the page was not serve from "https://evil-hacker.net/"
-->
<base href="https://evil-hacker.net/" />

In theory, we could add that meta tag by default and it should work in the vast majority of cases. Otherwise, we could encourage devs to enable it for themselves as a security best practice.

[michalkleiner]

What would happen if you had defined CSP via this meta tag and e.g. via .htaccess or vhost config? Which takes precedence?

[GuySartorelli]

I think it definitely has to be configurable if we do include it by default. I also think it's a good thing to have, though would probably have to be disabled by default if not introduced in a major release. In the meantime adding documentation about it to our security best practices doc would be a good step.

[GuySartorelli]

Labelling as enhancement for now until/unless we rule out adding some code implementation.