Issue #1329. Add a Content-Security-Policy-Report-Only header.

This allows xhr, fonts, images, scripts, css from webcompat.com (or localhost). It also allows script from google-analytics.com. Let's leave it on for a week or so and see what we need to tweak before enabling the policy (and where to file bugs to improve security).
webcompat · Feb 27, 2017 · c5333bc · c5333bc
1 parent 4af9549
commit c5333bc
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/webcompat/views.py b/webcompat/views.py
@@ -57,6 +57,15 @@ def after_request(response):
     response.headers['X-Content-Type-Options'] = 'nosniff'
     response.headers['X-XSS-Protection'] = '1; mode=block'
     response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['Content-Security-Policy-Report-Only'] = (
+        "default-src 'none'; " +
+        "connect-src 'self'; " +
+        "font-src 'self'; " +
+        "img-src 'self'; " +
+        "script-src 'self' https://www.google-analytics.com; " +
+        "style-src 'self'; " +
+        "report-uri /csp-report"
+    )
     return response