Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
Now that BridgeDB uses a tiny bit of Javascript on the https://bridges.torproject.org/bridges page (to facilitate displaying the QR code and selecting all the bridge lines), we should consider possibly adding a "Content-Security-Policy" (CSP) HTTP header to responses from BridgeDB's HTTP(S) server.
While the XSS attack surface of BridgeDB is essentially non-existent, the idea is instead that a malicious bridge could specify in its Pluggable Transport arguments in its extrainfo descriptor something like:
transport obfs4 1.1.1.1:1111 evil=<script>[…]</script>
If BridgeDB added the CSP HTTP header:
Content-Security-Policy: default-src 'none'; base-uri https://bridges.torproject.org; script-src https://bridges.torproject.org; style-src https://bridges.torproject.org; img-src https://bridges.torproject.org data:; font-src https://bridges.torproject.org; frame-options 'deny';
Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is Turing-complete), and loading of fonts, images, blobs, scripts and basically every other type of content from external sources (i.e. everything other than https://bridges.torproject.org), would all be disabled. The only downside appears to be that CSP is not implemented in IE (not until IE10, which apparently has limited support), so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in China (there are a lot of these boxes in China) could still be attacked.