Feature #87420

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate signatures for Stylesheet and JavaScript resources

Added by Oliver Hader 8 months ago. Updated 8 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

0%

PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:

Documentation:

For static files

Example

<script src="https://example.com/example-framework.js" 
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
        crossorigin="anonymous"></script>

This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".

For ("unsafe") inline assignments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Example

Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c">
  var inline = 1;
</script>

History

#1 Updated by Oliver Hader 8 months ago

  • Description updated (diff)

#2 Updated by Oliver Hader 8 months ago

  • Assignee deleted (Oliver Hader)

Also available in: Atom PDF