Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Enforce a Content Security Policy (CSP) #1036

Open
wrongecho opened this issue Sep 7, 2024 · 1 comment
Open

Feature Request: Enforce a Content Security Policy (CSP) #1036

wrongecho opened this issue Sep 7, 2024 · 1 comment
Assignees
@wrongecho
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@wrongecho
Copy link
Collaborator

Content Security Policies tell the browser to restrict where resources, like Javascript, are loaded from. They are a good defense against cross-site scripting (XSS) attacks.

We should try to move towards a CSP of at least default-src 'self'. Ideally adding object-src 'none' but these would require that we don't use Javascript in-line, but load it properly via scripts with hashing/nonces.

https://content-security-policy.com/faq/
https://content-security-policy.com/strict-dynamic/
https://content-security-policy.com/nonce/

Until we can add this as part of the header includes, we'll have to track individual pages that can and can't have CSP applied:

General (main app)

Client Portal

  • Added to a few pages: index, invoices, login, profile, tickets

Guest Views

Misc
@wrongecho wrongecho self-assigned this Sep 7, 2024
@wrongecho wrongecho added enhancement New feature or request help wanted Extra attention is needed labels Sep 7, 2024
@wrongecho
Copy link
Collaborator Author

Bumping this from Project board to an issue. Would appreciate any help with this.
Have started on some specific client portal pages but this seems to break things like TinyMCE.

It'd be fantastic (but probably a lot of work) to get this implemented in the main ITFlow app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wrongecho wrongecho

Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wrongecho