New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add base-uri and report-sample csp directives #6194
base: master
Are you sure you want to change the base?
Conversation
@L1ghtn1ng I suppose this PR relates to #6195 or am I missing something? |
Yes and no, the report-sample will help with fixing things for sure as it will give better error messages in the browser console. But this PR is just a recommended addition and a slight tidy up.
On 14 Dec 2022, at 08:28, Ad Schellevis ***@***.***> wrote:
@L1ghtn1ng<https://github.com/L1ghtn1ng> I suppose this PR relates to #6195<#6195> or am I missing something?
—
Reply to this email directly, view it on GitHub<#6194 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA3V2QSTWZMKAYARWYJTWCLWNGALLANCNFSM6AAAAAAS55IAOA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
I'll put it on my list of things todo to review and test this one. |
Hi @AdSchellevis any updates on this? |
not really, too busy with other work and not enough context on why we should do this. |
In a nutshell, stops a csp bypass vector using the base-uri include and the report-sample is useful for seeing what code violates a csp directive so helps with fixing any csp issues
For more information please see https://book.hacktricks.xyz/pentesting-web/content-security-policy-csp-bypass
On 5 Sep 2023, at 15:19, Ad Schellevis ***@***.***> wrote:
not really, too busy with other work and not enough context on why we should do this.
—
Reply to this email directly, view it on GitHub<#6194 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA3V2QQ4235VW63QOC2XN7TXY4YGFANCNFSM6AAAAAAS55IAOA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
I don't mind improving the situation, but someone needs to test this thoroughly, the modification should be consistent between legacy and mvc parts and should follow best practices (I can already see the next PR coming in to remove This needs work to do it right, which unfortunately isn't high enough on our priority list. If you're willing to finish it and document test results, we can reevaluate if we should move it up the list. In our experience changes like these have a tendency to haunt us later. |
78845fc
to
8ba454a
Compare
The base-uri directive prevents base elements from injected as a way to bypass the csp. Also adding report-sample which helps with debugging what is being blocked with the CSP so can be easier fixed