Verify the CSP header #1

gjedeer · 2016-12-12T17:35:21Z

Another thing which the add-on has to check is the CSP header. Because if it does not validate it too, JS could just be added as inline-code. And the add-on has to make sure that all script tags have an integrity attribute (could be done with PrivateBin/PrivateBin#82 if implemented).

rugk · 2016-12-12T19:42:44Z

I'd say we split this issue. This here for the CSP header detection and I'll create a new one for the forced integrity attribute verification.

rugk · 2016-12-12T20:06:54Z

What must be verified:

that script-src is given and it only allows 'self'
OR (less restrictive) that script-src must not include any unsafe-* value

All other things are as I see it optional security enhancements by the web admin and should not jeopardize the JS security.

rugk mentioned this issue Dec 12, 2016

Check whether all JS loaded have integrity attributes #6

Open

rugk changed the title ~~Check is the CSP header~~ Verify the CSP header Dec 12, 2016

rugk added this to the first beta milestone Dec 12, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verify the CSP header #1

Verify the CSP header #1

gjedeer commented Dec 12, 2016 •

edited by rugk

Loading

rugk commented Dec 12, 2016

rugk commented Dec 12, 2016

Verify the CSP header #1

Verify the CSP header #1

Comments

gjedeer commented Dec 12, 2016 • edited by rugk Loading

rugk commented Dec 12, 2016

rugk commented Dec 12, 2016

gjedeer commented Dec 12, 2016 •

edited by rugk

Loading