View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001413 | Main CAcert Website | misc | public | 2016-02-24 20:09 | 2016-02-24 20:09 |
Reporter | BenBE | Assigned To | INOPIAE | ||
Priority | normal | Severity | feature | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 2016 Q1 | ||||
Target Version | 2016 Q2 | ||||
Summary | 0001413: Introduce CSP and other security headers | ||||
Description | The site should be changed so that the security features of modern browsers can be used (XSS proctection, IFrame protection, CSP, CORS, ...). In particular for Content Security Policy (CSP) the following policy should work: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; | ||||
Steps To Reproduce | Use a plugin like "Caspr: Enforcer" and enable the above policy. Hitting F12 and refreshing/browsing any page of the webdb should yield no error messages in the Chrome console. | ||||
Additional Information | The above policy requires mostly the following changes: - Move JS code to static files - Move CSS into the normal style sheet (or separate files) - Deliver used fonts locally as static files (or via webstatic / requires slight modification to above policy). | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | See steps to reproduce. Target is testing all functions causing zero issues doing so. | ||||