[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor

#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-------------------------+-------------------------------------------------
     Reporter:  isis     |      Owner:  isis
         Type:           |     Status:  needs_review
  enhancement            |  Milestone:
     Priority:  major    |    Version:
    Component:           |   Keywords:  bridgedb-https, security,
  BridgeDB               |  bridgedb-0.3.3
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------
Changes (by isis):

 * status:  new => needs_review
 * keywords:  bridgedb-https security => bridgedb-https, security,
     bridgedb-0.3.3


Comment:

 I've added a `twisted.web.resource.Resource` class for BridgeDB's HTTPS
 Distributor, called `CSPResource` which adds methods that the other
 resources inherit which set the CSP header for the HTTP response. My
 changes are in my `15968-16649-csp-and-mobile`
 [https://gitweb.torproject.org/user/isis/bridgedb.git/log/?h=fix/15968-16649
 -csp-and-mobile branch].

 The default CSP header is controllable via some config file options:

 {{{
 # Content Security Policy Settings
 # --------------------------------

 # (boolean) If True, enable use of CSP headers.  This must be True for any
 # other CSP-related options to have any effect.
 #
 # If enabled, the default Content Security Policy (CSP) is:
 #
 #     default-src 'none' ;
 #     base-uri FQDN ;
 #     script-src FQDN ;
 #     style-src FQDN ;
 #     img-src FQDN data: ;
 #     font-src FQDN ;
 #
 # where "FQDN" is the value of the SERVER_PUBLIC_FQDN config setting.
 #
 # If CSP_INCLUDE_SELF is enabled, then "'self'" (literally, the word self
 # surrounded by single-quotes) will be appended to the value of the
 # SERVER_PUBLIC_FQDN config setting to create the "FQDN".

 CSP_ENABLED = True

 # (boolean) If True (and CSP_ENABLED is also True), then set a "report-
 only"
 # Content Security Policy.  This means that client agents which run into
 # problems with or cause violations of our CSP settings will report data
 # regarding the problems/violations.  This report data is then logged (at
 the
 # DEBUG level), along with the client's IP address (only if SAFELOGGING is
 # disabled, otherwise the client's IP address is not reported).

 CSP_REPORT_ONLY = False

 # (boolean) If True, then append "'self'" to the "FQDN" in the default CSP
 # header described above.

 CSP_INCLUDE_SELF = True

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs