Page MenuHomePhabricator
Create Task
Maniphest T112586

Unconditionally set up restrictive CSP headers for non-HTML/SVG content in RESTBase
Closed, ResolvedPublic
Actions

Description

In T111820 @csteipp rightly pointed out that there is value in setting CSP headers to disallow framing on non-HTML/SVG responses. Unless there is a use case for custom CSP headers on JSON or other non-HTML/SVG responses, I would propose to unconditionally set very restrictive CSP headers on anything but /^(?:text\/html|image\/svg)/i:

Content-Security-Policy: default-src 'none'; frame-ancestors 'none'

Related Objects

Event Timeline

GWicke created this task.Sep 14 2015, 8:39 PM
GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added subscribers: GWicke, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2015, 8:39 PM
GWicke triaged this task as Medium priority.Sep 14 2015, 8:39 PM
GWicke added a project: RESTBase.
GWicke set Security to None.
GWicke mentioned this in T111820: Set default CSP header in service template to "default-src 'none'".
GWicke updated the task description. (Show Details)
GWicke edited subscribers, added: mobrovac, Pchelolo; removed: Aklapper.
GWicke added a comment.Sep 14 2015, 9:23 PM

PR ready for review at https://github.com/wikimedia/restbase/pull/333.

mobrovac closed this task as Resolved.Oct 11 2015, 5:32 PM
mobrovac claimed this task.

PR 333 has been deployed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL