Skip to content

Added a Content-Security-Policy to Loris #1481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
samirdas merged 1 commit into from
Jan 15, 2016
Merged

Added a Content-Security-Policy to Loris #1481

samirdas merged 1 commit into from
Jan 15, 2016

Conversation

@driusan
Copy link
Collaborator

@driusan driusan commented Jan 13, 2016

This adds a Content-Security-Policy header to LORIS requests loaded through main.php in order to help prevent XSS attacks.

The policy it implements is:

  1. By default, only allow things that are self-hosted
  2. Allow inline CSS and JS (inline JS is required for the Loris base class to load smarty variables). We should eventually try and find a way to tighten up this policy.
  3. Allow unsafe-eval because jQuery requires it to load our menus. It will be fixed in jQuery 3.0.0.
    See: _evalUrl isn't Content-Security-Policy (CSP) compatible jquery/jquery#2012). After we upgrade jQuery, we should remove this.
  4. Allow data URLs for fonts, because our bootstrap theme seems to load a font that way. We should probably update our theme to use a real URL and remove this.

@driusan driusan changed the title Added a CSP to Loris Added a Content-Security-Policy to Loris Jan 13, 2016
@driusan driusan added Release: Add to release notes PR whose changes should be highlighted in the release notes Category: Bug PR or issue that aims to report or fix a bug Category: Feature PR or issue that aims to introduce a new feature labels Jan 13, 2016
@driusan driusan added this to the 16.04 milestone Jan 13, 2016
@codecov-io
Copy link

codecov-io commented Jan 13, 2016

Current coverage is 10.93%

Merging #1481 into 16.04-dev will not affect coverage as of abe5d52

@@            16.04-dev   #1481   diff @@
=========================================
  Files             103     103       
  Stmts           18026   18030     +4
  Branches            0       0       
  Methods          1020    1020       
=========================================
  Hit              1971    1971       
  Partial             0       0       
- Missed          16055   16059     +4

Review entire Coverage Diff as of abe5d52

Powered by Codecov. Updated on successful CI builds.

samirdas added a commit that referenced this pull request Jan 15, 2016
@samirdas
Merge pull request #1481 from driusan/AddCSP
0a68046 
Added a Content-Security-Policy to Loris
@samirdas samirdas merged commit 0a68046 into aces:16.04-dev Jan 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Category: Bug PR or issue that aims to report or fix a bug Category: Feature PR or issue that aims to introduce a new feature Release: Add to release notes PR whose changes should be highlighted in the release notes

Projects

None yet

Milestone

16.0

Development

Successfully merging this pull request may close these issues.

3 participants

@driusan @codecov-io @samirdas