Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'self' to CSP script-src directive only when strictly necessary #54

Open
castarco opened this issue Mar 30, 2024 · 0 comments
Open

Add 'self' to CSP script-src directive only when strictly necessary #54

castarco opened this issue Mar 30, 2024 · 0 comments
Labels
csp Content-Security-Policy enhancement New feature or request sri SubResource Integrity ssr Related to Server-Side-Rendered Content

Comments

@castarco
Copy link
Contributor

As of today, Astro-Shield always adds the 'self' source to avoid potential problems with static imports present inside loaded scripts.

Although this is not dangerous, it is arguably less safe than just adding the hashes of the specific resources that will be loaded, and it is not always necessary (loaded scripts not always have static imports inside them, which is the only reason to add the self source).

My proposal is to detect when those import statements are present in the loaded scripts, and then add the self source only in those cases.
@castarco castarco added enhancement New feature or request csp Content-Security-Policy sri SubResource Integrity ssr Related to Server-Side-Rendered Content labels Mar 30, 2024
@danielszuk danielszuk mentioned this issue Apr 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
csp Content-Security-Policy enhancement New feature or request sri SubResource Integrity ssr Related to Server-Side-Rendered Content
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@castarco