search

taskcluster / taskcluster-tools

Tools for debugging, inspecting and managing Taskcluster
https://tools.taskcluster.net/
Mozilla Public License 2.0
26 stars 91 forks source link

Bug 1441832 - Add form-action and base-uri to CSP rules #570

Closed helfi92 closed 6 years ago

helfi92 commented 6 years ago

CSP: base-uri

We don't seem to make use of the base tag so we can add base-uri 'none' in our CSP rules. The generated index.html after a build shows:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta content="ie=edge" http-equiv="x-ua-compatible">
<meta name="description" content="A collection of tools for Taskcluster components and elements in the
                Taskcluster ecosystem. Here you'll find tools to manage
                Taskcluster services as well as run, debug, inspect, and view tasks, task groups,
                and other Taskcluster related entities.">
<meta name="author" content="Taskcluster">
<title>Taskcluster</title>
<meta content="width=device-width,initial-scale=1" name="viewport">
<link href="/index.b9ec9f27fa848ae9cea54954892eb073.css" rel="stylesheet"/>
</head>
<body>
<div id="root">
</div>
<script src="/runtime.6b17f7b8acc17981bfde.v1.js" type="text/javascript"></script>
<script src="/vendor.14cd42690447ff5ce934.v1.js" type="text/javascript"></script>
<script src="/index.f55880b24bc0d4c01012.v1.js" type="text/javascript"></script>
</body>
</html>

CSP: form-action

When a form is submitted, we always do e.preventDefault so I think it's safe to add form-action 'none' to our CSP rules.

helfi92 commented 6 years ago

I will merge this tomorrow morning.