[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 24 23:31:29 UTC 2015
#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-------------------------+-------------------------------------------------
Reporter: isis | Owner: isis
Type: | Status: needs_review
enhancement | Milestone:
Priority: major | Version:
Component: | Keywords: bridgedb-https, security,
BridgeDB | bridgedb-0.3.3
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by isis):
* status: new => needs_review
* keywords: bridgedb-https security => bridgedb-https, security,
bridgedb-0.3.3
Comment:
I've added a `twisted.web.resource.Resource` class for BridgeDB's HTTPS
Distributor, called `CSPResource` which adds methods that the other
resources inherit which set the CSP header for the HTTP response. My
changes are in my `15968-16649-csp-and-mobile`
[https://gitweb.torproject.org/user/isis/bridgedb.git/log/?h=fix/15968-16649
-csp-and-mobile branch].
The default CSP header is controllable via some config file options:
{{{
# Content Security Policy Settings
# --------------------------------
# (boolean) If True, enable use of CSP headers. This must be True for any
# other CSP-related options to have any effect.
#
# If enabled, the default Content Security Policy (CSP) is:
#
# default-src 'none' ;
# base-uri FQDN ;
# script-src FQDN ;
# style-src FQDN ;
# img-src FQDN data: ;
# font-src FQDN ;
#
# where "FQDN" is the value of the SERVER_PUBLIC_FQDN config setting.
#
# If CSP_INCLUDE_SELF is enabled, then "'self'" (literally, the word self
# surrounded by single-quotes) will be appended to the value of the
# SERVER_PUBLIC_FQDN config setting to create the "FQDN".
CSP_ENABLED = True
# (boolean) If True (and CSP_ENABLED is also True), then set a "report-
only"
# Content Security Policy. This means that client agents which run into
# problems with or cause violations of our CSP settings will report data
# regarding the problems/violations. This report data is then logged (at
the
# DEBUG level), along with the client's IP address (only if SAFELOGGING is
# disabled, otherwise the client's IP address is not reported).
CSP_REPORT_ONLY = False
# (boolean) If True, then append "'self'" to the "FQDN" in the default CSP
# header described above.
CSP_INCLUDE_SELF = True
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list