Feature #87420

Epic #87417: Integrate proper Content Security Policy (CSP) handling

Integrate signatures for Stylesheet and JavaScript resources

Added by Oliver Hader 10 months ago. Updated 10 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2019-01-13
Due date:
% Done:

0%

PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:

Documentation:

For static files

Example

<script src="https://example.com/example-framework.js" 
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" 
        crossorigin="anonymous"></script>

This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".

For ("unsafe") inline assignments

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Example

Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c">
  var inline = 1;
</script>

History

#1 Updated by Oliver Hader 10 months ago

  • Description updated (diff)

#2 Updated by Oliver Hader 10 months ago

  • Assignee deleted (Oliver Hader)

Also available in: Atom PDF