Actions
Feature #87420
closed
Epic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate signatures for Stylesheet and JavaScript resources
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
Start date:
2019-01-13
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
In order to ensure that Stylesheets and JavaScripts resources are integrated without being compromised, according signatures have to be added:
Documentation:
- https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
For static files¶
Example
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
This step also requires that signatures have to be generated every time the source code is modified in Git commits. Dynamically generating signatures does not make sense since that would just sign compromised data as well. The "trust aspect" is still target to be defined here - in terms of "how to verify that signatures are not compromised".
For ("unsafe") inline assignments¶
Example
Content-Security-Policy: script-src 'nonce-2726c7f26c'
<script nonce="2726c7f26c"> var inline = 1; </script>
Updated by 
Updated by 
Updated by 
Updated by
Actions