-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate CSP directives #325
Comments
|
This is related to #79 |
Sites that check CSP: |
First step is to test for 'unsafe-inline'. See also: https://en.internet.nl/article/x-xss-protection-removed-and-improvement-for-no-mx-domains/ |
For the first step decide if |
New checks include:
If the header does not comply with the above, it is not considered securely configured. |
Great that this is implmented. Few questions:
Below a citation from the DigiD audit norm:
|
|
Thanks. Regarding your 2nd answer: Ok, clear. The DigiD audit norm states that the following should not be used, which confused me:
EN (translated)
Is the following addition correct?
-->
In the CSP spec I read:
The DigiD audit norm does not 'forbid' Are there any other CSP settings that you would have expected to be prescribed by the DigiD audit norm? |
|
ad 1. Yep
|
On second thought I am not sure about For the wildcard localhost I would say only for the |
Ad 2: Ok. So we also syntactically check the CSP record. Is that a full syntax check? Btw this evaluation tool is interesting to have a look at: https://csp-evaluator.withgoogle.com/ |
|
I realize that "2. Yes" above is not clear :) |
Ad 2: Okay |
3: It's not very clear to me. I read that as "Define script-src and object-src or default-src. And btw don't include 'unsafe-inline', or data: in your policies.". But I can see how you can also interpret it your way. I can make the change to check those 3 for data:. 4a: Yes, only for those 3 directives. We don't give a warning, we fail the test which happens to be a warning. 4b: Localhost seems like a configuration error or something really specific for some sources. Although it seems logical I don't have enough evidence to suggest it shouldn't be there. |
Ad 3: I am not sure yet. MDN says the following:
source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src Is it consistent with the interpretation of the spec to only test Ad 4a: Ok Ad 4b: Ok |
Btw, I am not sure if we want to go an extra step (with |
Yes, let's go for the extra step. We mostly follow the DigiD guideline, but also keep thinking ourselves :-). I plan to give our additions as feedback to DigiD. So:
Okay? Three additional questions:
|
|
Btw I also ran into the following scanner which is quite restrictive: https://cspscanner.com/ |
Some remarks:
|
Thanks, I just updated content in EN and NL accordingly. |
Feedback that I received: Shouldn't we also check for |
Not sure.
I don't think it is a straight forward decision. In that case we would need at least one of them. But for sites that already have only https sources both of those options don't make sense. Having just the scheme |
Here I read that I believe |
Yes, we check that all sources need to go over https. So requiring |
|
|
|
|
|
OK change already live on dev. With this then I believe CSP is done. |
Yes, thanks. I will update content. |
By the way, There's also a new |
Solid point @thestinger After a quick discussion about this: It seems all navigation directives don't fallback. Also other CSP checkers didn't suggest/mention anything about them so it went under the radar. They could be included in a future release as directives that need to be there because they don't fallback. I suggest we start rejecting on form-action and base-uri starting 1.5 and advising on navigate-to as soon as it’s not a draft any more. For base-uri I would guess it is easy to suggest 'self'; in the results. For form-action maybe 'self'/'none' + any other domain (same as frame-ancestors)? @thestinger what do you think about the above? |
(and @thestinger perhaps best to open a new issue for this one?) |
|
The reason that certain things don't fall back is because they were added in CSP v2 (base-uri, form-action) and now CSP v3 (navigate-to). They couldn't break compatibility with CSP 1 with It's important for |
Check that at least the bare minimum sane CSP directives are configured.
This also means that internet.nl's configuration needs to comply with this.
The text was updated successfully, but these errors were encountered: