You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Jason E Bailey <je...@apache.org> on 2020/01/10 17:25:56 UTC
Content Security Policy Headers
If you're not familiar with them
https://tools.ietf.org/html/rfc7231
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
I'm wondering if anyone has used the CSP to secure javascript and styles successfully in Sling and what techniques did they use to get there.
I'm about to raise an issue with our vendor because of lack of support, but I like to try to avoid tickets if necessary.
- Jason
Re: Content Security Policy Headers
Posted by Eric Norman <en...@apache.org>.
I set these headers (and HSTS header) with a simple servlet filter.
Regards,
Eric
On Fri, Jan 10, 2020, 9:26 AM Jason E Bailey <je...@apache.org> wrote:
> If you're not familiar with them
>
> https://tools.ietf.org/html/rfc7231
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I'm wondering if anyone has used the CSP to secure javascript and styles
> successfully in Sling and what techniques did they use to get there.
>
> I'm about to raise an issue with our vendor because of lack of support,
> but I like to try to avoid tickets if necessary.
>
> - Jason
>
Re: Content Security Policy Headers
Posted by Jason E Bailey <ja...@24601.org>.
I should have been more specific. I have a security person who wants us to remove the unsafe-inline for the javascript.
This has taken up so much of my focus that I forget all about the rest of it.
To pull off the removal of the unsafe-inline you have to use hashes for the javascript or a nonce that changes every time you request the page. This is where my mind starts to explode.
--
Jason
On Fri, Jan 10, 2020, at 2:13 PM, Daniel Klco wrote:
> Jason,
>
> Rather than putting the headers in Sling, I'd recommend supplying the CSP
> in your caching (httpd etc) layer. Something like this:
>
> Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"
>
> Header set X-XSS-Protection "1; mode=block"
>
> Header set X-Content-Type-Options "nosniff"
>
> Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"
>
> Header set Content-Security-Policy "default-src https: data:
> 'unsafe-inline'"
>
>
> I use this on my personal site and have an A rating:
> https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F
>
> Regards,
> Dan
>
>
> On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey <je...@apache.org> wrote:
>
> > If you're not familiar with them
> >
> > https://tools.ietf.org/html/rfc7231
> > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
> >
> > I'm wondering if anyone has used the CSP to secure javascript and styles
> > successfully in Sling and what techniques did they use to get there.
> >
> > I'm about to raise an issue with our vendor because of lack of support,
> > but I like to try to avoid tickets if necessary.
> >
> > - Jason
> >
>
Re: Content Security Policy Headers
Posted by Daniel Klco <da...@gmail.com>.
Jason,
Rather than putting the headers in Sling, I'd recommend supplying the CSP
in your caching (httpd etc) layer. Something like this:
Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"
Header set Content-Security-Policy "default-src https: data:
'unsafe-inline'"
I use this on my personal site and have an A rating:
https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F
Regards,
Dan
On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey <je...@apache.org> wrote:
> If you're not familiar with them
>
> https://tools.ietf.org/html/rfc7231
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I'm wondering if anyone has used the CSP to secure javascript and styles
> successfully in Sling and what techniques did they use to get there.
>
> I'm about to raise an issue with our vendor because of lack of support,
> but I like to try to avoid tickets if necessary.
>
> - Jason
>