swaponline / MultiCurrencyWallet

Bitcoin, Ethereum, ERC20 crypto wallets with 0x and atomic swap exchange.
https://swaponline.github.io
MIT License
491 stars 497 forks source link

Content Security Policy #2570

Open vladiuz1 opened 4 years ago

vladiuz1 commented 4 years ago
  1. Job. What we need to do in order to implement this feature. Steps We need to set html header
<meta
--
  | http-equiv="Content-Security-Policy"
  | content="default-src
  | 'self'
  | 'unsafe-inline'
  | data:
>

to tighten xss security of swaponline

Before we can do this, we need to make sure all .js, fonts, images are hosted on within default domain name, and not on various cdns.

  1. Purpose. What this feature is intended to resolve? a) Clients benefits

  2. No remotely hosted scripts. Higher security.

  3. It will tighten security against possible xss attacks. at least on modern browsers, which is vast majority of users anyways.

b) Our benefits

  1. Clients benefits = our benefits.

  2. Another benefit - swaponline looks bad without this policy in the eyes of security researchers.

  3. Where a) What part of our tech resources this feature intercourse (Back, front etc.) front b) Where’ll we implement this feature (project, space etc.)

  4. Estimate time of implementation this feature 3 hours.

  5. Evidences.

noxonsu commented 4 years ago

пока предлагаю просто пропистаь все что есть, далее уже потихоньку перенсоить. пока такое поулчатеся. object-src data: 'unsafe-eval' swaponline.github.io;style-src 'self' 'unsafe-inline' .fontawesome.com .cloudflare.com .googleapis.com .bootstrapcdn.com;script-src 'self' 'unsafe-inline' apis.google.com mc.yandex.ru googletagmanager.com unpkg.com apis.google.com;img-src 'self' data:;default-src 'self' insight.litecore.io .infura.io insight.bitpay.com .swaponline.site swaponline.github.io unpkg.com fonts.gstatic.com stackpath.bootstrapcdn.com cdnjs.cloudflare.com .fontawesome.com .swaponline.io .googleapis.com .blockcypher.com *.api.etherscan.iocustom value

vladiuz1 commented 4 years ago

Then need to create tickets for every mentioned domain name - to get rid of remote hosts one by one. So we can keep track of the progress.

For others we can create our trusted domain that will proxy requests to all the necessary hosts (to bitpay for example), and filter all unexpected requests. So if someone requests an unexpected endpoint on bitpay, our proxy will refuse such connections.

But for sure the above is a good start.