-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSP headers #5014
Add CSP headers #5014
Conversation
e2c4535
to
868d513
Compare
613b971
to
bfcb294
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to the requested changes please:
- Remove all whitespace changes that are not related to the code you introduce.
- Regenerate the nonce if it's not an AJAX request.
library/Icinga/Web/Response.php
Outdated
$useCsp = (bool) Config::app()->get('security', 'use_csp', false); | ||
|
||
if ($useCsp) { | ||
$this->setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload', true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why all the other headers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've used these headers. Since most of these are for blocking XSS, I assumed that we would want all of them. These of course are more restrictive, I can also only include Content-Security-Policy
, if we don't want the rest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since those headers are easily configureable via the web server, I would not add them here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be clarified in the docs? Possibly linking to it in the description when setting up CSP? Since this seems to be best practice.
I did this at first, but when column page contents are being loaded, they are not considered a XML Request |
How is that possible? Do you have proof? Everything would fall apart, if they weren't AJAX requests. |
I just rechecked. Now it always returns true with XHR Requests, my bad. I think I first tested this when some Javascript was still blocked by CSP. |
b8a21cc
to
154d14b
Compare
No description provided.