[RFC] Content Security Policy Compatibility

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
Ceil
Registered User
Posts: 3
Joined: Fri Apr 15, 2011 11:22 am

[RFC] Content Security Policy Compatibility

Post by Ceil »

Hello, my first post here.
I've tried with 3.0.8 to use CSP however due to the amount of inline scripts and inline events, this causes features to break. eg. The bold/i/u/quote bar and smilies.
The CSP I used was: allow 'self'; img-src *; script-src 'self' https://api-secure.recaptcha.net https://www.google.com; report-uri https://mysite.org/csp.php

Proposal:
Convert inline scripts into external scripts <script src="
Convert inline events using something like: element.onclick = someFunction; or element.addEventListener("click", someFunction, false);
Use the above for javascript links as well. <a href="javascript: (I haven't seen any of these).

References:
https://developer.mozilla.org/en/Introd ... ity_Policy

Result:
Web Admins can enable CSP and gain an additional layer of protection against XSS and clickjacking/ui-redressing attacks.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Content Security Policy Compatibility

Post by Oleg »

Is all inline javascript disallowed? This seems too hard of a requirement.

The event stuff will be easier if we have a js framework taking care of it (viewtopic.php?f=108&t=33747).

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC] Content Security Policy Compatibility

Post by naderman »

nn- wrote:Is all inline javascript disallowed? This seems too hard of a requirement.
I'd say that's a pretty good idea, and certainly not a problem from a technological perspective.

Post Reply