Issue #1329. Add a Content-Security-Policy-Report-Only header.

This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost). It also allows script from google-analytics.com. Let's leave it on for a week or so and see what we need to tweak before enabling the policy (and where to file bugs to improve security).
webcompat · Feb 28, 2017 · b727f7d · b727f7d
1 parent 76d625d
commit b727f7d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/webcompat/helpers.py b/webcompat/helpers.py
@@ -468,3 +468,22 @@ def add_sec_headers(response):
     response.headers['X-Content-Type-Options'] = 'nosniff'
     response.headers['X-XSS-Protection'] = '1; mode=block'
     response.headers['X-Frame-Options'] = 'DENY'
+
+
+def add_csp(response):
+    '''Add a Content-Security-Policy header to response.
+
+    This should be used in @app.after_request to ensure the header is
+    added to all responses.'''
+    # short term, we send Content-Security-Policy-Report-Only
+    # see https://github.com/webcompat/webcompat.com/issues/763 for
+    # sending Content-Security-Policy
+    response.headers['Content-Security-Policy-Report-Only'] = (
+        "default-src 'none'; " +
+        "connect-src 'self'; " +
+        "font-src 'self'; " +
+        "img-src 'self'; " +
+        "script-src 'self' https://www.google-analytics.com; " +
+        "style-src 'self'; " +
+        "report-uri /csp-report"
+    )
diff --git a/webcompat/views.py b/webcompat/views.py
@@ -21,6 +21,7 @@
 
 from form import AUTH_REPORT
 from form import PROXY_REPORT
+from helpers import add_csp
 from helpers import add_sec_headers
 from helpers import get_browser_name
 from helpers import get_form
@@ -53,6 +54,7 @@ def before_request():
 def after_request(response):
     session_db.remove()
     add_sec_headers(response)
+    add_csp(response)
     return response