Changes between Initial Version and Version 1 of Ticket #15968


Ignore:
Timestamp:
May 9, 2015, 5:14:26 AM (5 years ago)
Author:
isis
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #15968 – Description

    initial v1  
    99If BridgeDB added the CSP HTTP header:
    1010{{{
    11 Content-Security-Policy: default-src 'self'
     11Content-Security-Policy: default-src 'none'; base-uri https://bridges.torproject.org; script-src https://bridges.torproject.org; style-src https://bridges.torproject.org; img-src https://bridges.torproject.org data:; font-src https://bridges.torproject.org; frame-options 'deny';
    1212}}}
    1313
    14 Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is Turing-complete), and loading of fonts, images, blobs, scripts and basically every other type of content from external sources (i.e. everything other than https://bridges.torproject.org), would all be disabled. The only downside appears to be that CSP is not implemented in IE, so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in China (there are ''a lot'' of these boxes in China) could still be attacked.
     14Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is Turing-complete), and loading of fonts, images, blobs, scripts and basically every other type of content from external sources (i.e. everything other than https://bridges.torproject.org), would all be disabled. The only downside appears to be that CSP is not implemented in IE (not until IE10, which apparently has limited support), so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in China (there are ''a lot'' of these boxes in China) could still be attacked.