Opened 3 years ago
Last modified 22 months ago
#23432 new enhancement
Move CSP style attributes into external stylesheets
| Reported by: | cypherpunks | Owned by: | |
|---|---|---|---|
| Priority: | Medium | Milestone: | website redesign |
| Component: | Webpages/Website | Version: | |
| Severity: | Normal | Keywords: | CSP |
| Cc: | hiro | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
Suggested by the Mozilla Observatory https://observatory.mozilla.org/analyze.html?host=torproject.org
Your current CSP policy allows the use of
'unsafe-inline'inside ofstyle-src. Movingstyleattributes into external stylesheets not only makes you safer, but also makes your code easier to maintain.
Child Tickets
Change History (3)
comment:1 Changed 3 years ago by
| Keywords: | CSP added; csp removed |
|---|
comment:2 Changed 2 years ago by
| Milestone: | → website redesign |
|---|
comment:3 Changed 22 months ago by
Note: See
TracTickets for help on using
tickets.
This is also relevant for the new website.
< https://observatory.mozilla.org/analyze.html?host=torproject.org
Score: 110/100
Tests Passed: 11/11
failed tests:
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
< https://csp-evaluator.withgoogle.com/?csp=https://torproject.org
High severity: object-src [missing] Can you restrict object-src to 'none'?
What should be done
There's a method to define a CSP in a meta header "although in this case its effectiveness will be limited" (Wikipedia), for apache it should be defined in
httpd.confor.htaccess:(just an example, the perfect solution may differ)
Interesting read: An Introduction to Content Security Policy
Content Security Policy (CSP) header not implemented
< observatory.mozilla.org/analyze.html?host=support.torproject.org
For Score: 75/100
Tests Passed: 10/11
Content Security Policy (CSP) header not implemented
Same for styleguide.torproject.org
< observatory.mozilla.org/analyze.html?host=deb.torproject.org
Score: 55/100
Tests Passed: 9/11
We noticed that your site is accessible over HTTPS, but still defaults to HTTP.
Content Security Policy (CSP) header not implemented
Does not redirect to an HTTPS site
< observatory.mozilla.org/analyze.html?host=trac.torproject.org
Score: 55/100
Tests Passed: 9/11
The use of the X-Frame-Options header and Content Security Policy’s frame-ancestors directive are a simple and easy way to protect your site against clickjacking attacks. https://infosec.mozilla.org/guidelines/web_security#x-frame-options
Content Security Policy (CSP) header not implemented
X-Frame-Options (XFO) header cannot be recognized
missing Cookies tags: SameSite Prefixed
Best
< observatory.mozilla.org/analyze.html?host=dist.torproject.org
Score: 115/100
Tests Passed: 11/11
Recommended Change
🎉🎉🎉 We don't have any! 🎉🎉🎉
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
< observatory.mozilla.org/analyze.html?host=bridges.torproject.org
Score: 115/100
Tests Passed: 11/11
Recommended Change
🎉🎉🎉 We don't have any! 🎉🎉🎉
Clickjacking protection, using frame-ancestors
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs