[tor-bugs] #23432 [Webpages/Website]: Move CSP style attributes into external stylesheets
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 17 03:49:49 UTC 2018
#23432: Move CSP style attributes into external stylesheets
------------------------------+----------------------------------
Reporter: cypherpunks | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone: website redesign
Component: Webpages/Website | Version:
Severity: Normal | Resolution:
Keywords: CSP | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+----------------------------------
Comment (by traumschule):
This is also relevant for the new website.
< https://observatory.mozilla.org/analyze.html?host=torproject.org
Score: 110/100
Tests Passed: 11/11
failed tests:
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self',
or specific origins
Restricts where <form> contents may be submitted by using form-action
'none', form-action 'self', or specific URIs
< https://csp-evaluator.withgoogle.com/?csp=https://torproject.org
High severity: object-src [missing] Can you restrict object-src to 'none'?
= What should be done
- https://content-security-policy.com/#server
- https://www.w3.org/TR/CSP2/#example-policies
- ML: https://lists.w3.org/Archives/Public/public-webappsec/
There's a method to define a [https://www.w3.org/TR/CSP2/#delivery-html-
meta-element CSP in a meta header] "although in this case its
effectiveness will be limited"
([https://en.wikipedia.org/wiki/Content_Security_Policy#cite_ref-13
Wikipedia]), for apache it should be defined in {{{httpd.conf}}} or
{{{.htaccess}}}:
{{{
Header set Content-Security-Policy "default-src 'self';"
}}}
(just an example, the perfect solution may differ)
Interesting read: [https://www.html5rocks.com/en/tutorials/security
/content-security-policy/ An Introduction to Content Security Policy]
= Content Security Policy (CSP) header not implemented
< observatory.mozilla.org/analyze.html?host=support.torproject.org
For Score: 75/100
Tests Passed: 10/11
Content Security Policy (CSP) header not implemented
Same for styleguide.torproject.org
< observatory.mozilla.org/analyze.html?host=deb.torproject.org
Score: 55/100
Tests Passed: 9/11
We noticed that your site is accessible over HTTPS, but still defaults to
HTTP.
Content Security Policy (CSP) header not implemented
Does not redirect to an HTTPS site
< observatory.mozilla.org/analyze.html?host=trac.torproject.org
Score: 55/100
Tests Passed: 9/11
The use of the X-Frame-Options header and Content Security Policyβs frame-
ancestors directive are a simple and easy way to protect your site against
clickjacking attacks.
https://infosec.mozilla.org/guidelines/web_security#x-frame-options
Content Security Policy (CSP) header not implemented
X-Frame-Options (XFO) header cannot be recognized
missing Cookies tags: SameSite Prefixed
- archive.torproject.org
- cloud.torproject.org
- collector.torproject.org
- consensus-health.torproject.org
- exonerator.torproject.org
- gettor.torproject.org
- git.torproject.org
- gitweb.torproject.org
- metrics.torproject.org
- newsletter.torproject.org
- nyx.torproject.org
- onion.torproject.org
- research.torproject.org
- tb-manual.torproject.org
- stem.torproject.org
- survey.torproject.org
- snowflake.torproject.org
= Best
< observatory.mozilla.org/analyze.html?host=dist.torproject.org
Score: 115/100
Tests Passed: 11/11
Recommended Change
πππ We don't have any! πππ
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self',
or specific origins
Restricts where <form> contents may be submitted by using form-action
'none', form-action 'self', or specific URIs
< observatory.mozilla.org/analyze.html?host=bridges.torproject.org
Score: 115/100
Tests Passed: 11/11
Recommended Change
πππ We don't have any! πππ
Clickjacking protection, using frame-ancestors
Restricts where <form> contents may be submitted by using form-action
'none', form-action 'self', or specific URIs
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23432#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list