Move CSP style attributes into external stylesheets

Suggested by the Mozilla Observatory https://observatory.mozilla.org/analyze.html?host=torproject.org

Your current CSP policy allows the use of 'unsafe-inline' inside of style-src. Moving style attributes into external stylesheets not only makes you safer, but also makes your code easier to maintain.

changed milestone to %website redesign

added CSP component::webpages/website milestone::website redesign priority::medium severity::normal status::new type::enhancement labels

Trac:
Keywords: csp deleted, CSP added

Trac:
Milestone: N/A to website redesign

This is also relevant for the new website.

< https://observatory.mozilla.org/analyze.html?host=torproject.org Score: 110/100 Tests Passed: 11/11 failed tests: Blocks inline styles by not allowing 'unsafe-inline' inside style-src Clickjacking protection, using frame-ancestors Deny by default, using default-src 'none' Restricts use of the tag by using base-uri 'none', base-uri 'self', or specific origins Restricts where

contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

< https://csp-evaluator.withgoogle.com/?csp=https://torproject.org High severity: object-src [missing] Can you restrict object-src to 'none'?

= What should be done

• https://content-security-policy.com/#server
• https://www.w3.org/TR/CSP2/#example-policies
• ML: https://lists.w3.org/Archives/Public/public-webappsec/

There's a method to define a CSP in a meta header "although in this case its effectiveness will be limited" (Wikipedia), for apache it should be defined in httpd.conf or .htaccess:

Header set Content-Security-Policy "default-src 'self';"

(just an example, the perfect solution may differ)

Interesting read: An Introduction to Content Security Policy

= Content Security Policy (CSP) header not implemented

< observatory.mozilla.org/analyze.html?host=support.torproject.org For Score: 75/100 Tests Passed: 10/11 Content Security Policy (CSP) header not implemented

Same for styleguide.torproject.org

< observatory.mozilla.org/analyze.html?host=deb.torproject.org Score: 55/100 Tests Passed: 9/11 We noticed that your site is accessible over HTTPS, but still defaults to HTTP. Content Security Policy (CSP) header not implemented Does not redirect to an HTTPS site

< observatory.mozilla.org/analyze.html?host=trac.torproject.org Score: 55/100 Tests Passed: 9/11 The use of the X-Frame-Options header and Content Security Policy’s frame-ancestors directive are a simple and easy way to protect your site against clickjacking attacks. https://infosec.mozilla.org/guidelines/web_security#x-frame-options Content Security Policy (CSP) header not implemented X-Frame-Options (XFO) header cannot be recognized missing Cookies tags: SameSite Prefixed

• archive.torproject.org
• cloud.torproject.org
• collector.torproject.org
• consensus-health.torproject.org
• exonerator.torproject.org
• gettor.torproject.org
• git.torproject.org
• gitweb.torproject.org
• metrics.torproject.org
• newsletter.torproject.org
• nyx.torproject.org
• onion.torproject.org
• research.torproject.org
• tb-manual.torproject.org
• stem.torproject.org
• survey.torproject.org
• snowflake.torproject.org

= Best

< observatory.mozilla.org/analyze.html?host=dist.torproject.org Score: 115/100 Tests Passed: 11/11 Recommended Change We don't have any! Clickjacking protection, using frame-ancestors Deny by default, using default-src 'none' Restricts use of the tag by using base-uri 'none', base-uri 'self', or specific origins Restricts where

contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

< observatory.mozilla.org/analyze.html?host=bridges.torproject.org Score: 115/100 Tests Passed: 11/11 Recommended Change We don't have any! Clickjacking protection, using frame-ancestors Restricts where

contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

moved to tpo/web/trac#23432 (moved)