View Issue Details

IDProjectCategoryView StatusLast Update
0001413Main CAcert Websitemiscpublic2016-02-24 20:09
ReporterBenBE Assigned ToINOPIAE  
Status newResolutionopen 
Product Version2016 Q1 
Target Version2016 Q2 
Summary0001413: Introduce CSP and other security headers
DescriptionThe site should be changed so that the security features of modern browsers can be used (XSS proctection, IFrame protection, CSP, CORS, ...). In particular for Content Security Policy (CSP) the following policy should work:

default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self';
Steps To ReproduceUse a plugin like "Caspr: Enforcer" and enable the above policy.
Hitting F12 and refreshing/browsing any page of the webdb should yield no error messages in the Chrome console.
Additional InformationThe above policy requires mostly the following changes:
- Move JS code to static files
- Move CSS into the normal style sheet (or separate files)
- Deliver used fonts locally as static files (or via webstatic / requires slight modification to above policy).
TagsNo tags attached.
Reviewed by
Test InstructionsSee steps to reproduce. Target is testing all functions causing zero issues doing so.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2016-02-24 20:09 BenBE New Issue
2016-02-24 20:09 BenBE Assigned To => INOPIAE