Opened 18 months ago

Last modified 6 months ago

#23432 new enhancement

Move CSP style attributes into external stylesheets

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: website redesign
Component: Webpages/Website Version:
Severity: Normal Keywords: CSP
Cc: hiro Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Suggested by the Mozilla Observatory https://observatory.mozilla.org/analyze.html?host=torproject.org

Your current CSP policy allows the use of 'unsafe-inline' inside of style-src. Moving style attributes into external stylesheets not only makes you safer, but also makes your code easier to maintain.

Child Tickets

Change History (3)

comment:1 Changed 18 months ago by cypherpunks

Keywords: CSP added; csp removed

comment:2 Changed 11 months ago by hiro

Milestone: website redesign

comment:3 Changed 6 months ago by traumschule

This is also relevant for the new website.

< https://observatory.mozilla.org/analyze.html?host=torproject.org
Score: 110/100
Tests Passed: 11/11
failed tests:
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

< https://csp-evaluator.withgoogle.com/?csp=https://torproject.org
High severity: object-src [missing] Can you restrict object-src to 'none'?

What should be done

There's a method to define a CSP in a meta header "although in this case its effectiveness will be limited" (Wikipedia), for apache it should be defined in httpd.conf or .htaccess:

Header set Content-Security-Policy "default-src 'self';"

(just an example, the perfect solution may differ)

Interesting read: An Introduction to Content Security Policy

Content Security Policy (CSP) header not implemented

< observatory.mozilla.org/analyze.html?host=support.torproject.org
For Score: 75/100
Tests Passed: 10/11
Content Security Policy (CSP) header not implemented

Same for styleguide.torproject.org

< observatory.mozilla.org/analyze.html?host=deb.torproject.org
Score: 55/100
Tests Passed: 9/11
We noticed that your site is accessible over HTTPS, but still defaults to HTTP.
Content Security Policy (CSP) header not implemented
Does not redirect to an HTTPS site

< observatory.mozilla.org/analyze.html?host=trac.torproject.org
Score: 55/100
Tests Passed: 9/11
The use of the X-Frame-Options header and Content Security Policy’s frame-ancestors directive are a simple and easy way to protect your site against clickjacking attacks. https://infosec.mozilla.org/guidelines/web_security#x-frame-options
Content Security Policy (CSP) header not implemented
X-Frame-Options (XFO) header cannot be recognized
missing Cookies tags: SameSite Prefixed

  • archive.torproject.org
  • cloud.torproject.org
  • collector.torproject.org
  • consensus-health.torproject.org
  • exonerator.torproject.org
  • gettor.torproject.org
  • git.torproject.org
  • gitweb.torproject.org
  • metrics.torproject.org
  • newsletter.torproject.org
  • nyx.torproject.org
  • onion.torproject.org
  • research.torproject.org
  • tb-manual.torproject.org
  • stem.torproject.org
  • survey.torproject.org
  • snowflake.torproject.org

Best

< observatory.mozilla.org/analyze.html?host=dist.torproject.org
Score: 115/100
Tests Passed: 11/11
Recommended Change
🎉🎉🎉 We don't have any! 🎉🎉🎉
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

< observatory.mozilla.org/analyze.html?host=bridges.torproject.org
Score: 115/100
Tests Passed: 11/11
Recommended Change
🎉🎉🎉 We don't have any! 🎉🎉🎉
Clickjacking protection, using frame-ancestors
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

Note: See TracTickets for help on using tickets.