Page MenuHomePhabricator
Create Task
Maniphest T253142

CSP improvement
Closed, DeclinedPublic
Actions

Description

The app's CSP is: "csp": "default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"

CSP should also require trusted types for scripts to lock down DOM XSS injection sinks by adding require-trusted-types-for 'script' to the policy.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedsbassettT240869 Security Review For KaiOS Wikipedia app
 DeclinedNoneT253142 CSP improvement

Event Timeline

SBisson created this task.May 19 2020, 6:36 PM
SBisson triaged this task as Medium priority.May 19 2020, 7:03 PM
SBisson moved this task from MVP to Backlog on the KaiOS-Wikipedia-app board.
SBisson edited projects, added KaiOS-Wikipedia-app; removed KaiOS-Wikipedia-app (MVP).
Aklapper removed projects: user-sbassett, secscrum, Application Security Reviews.May 19 2020, 7:12 PM

(Please remove unrelated project tags (and subscribers) when creating subtasks - thanks!)

SBisson closed this task as Declined.May 19 2020, 7:39 PM

This feature appears to be experimental and unsupported by Firefox.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL