Skip to content

Content-Security-Policy #305

New issue
New issue
Open
Open
Content-Security-Policy#305
Labels
issue/confirmedIssue has been reviewed and confirmed to be present or accepted to be implementedtopic/uiChange the appearance of the Gitea UItype/enhancementAn improvement of existing functionality
@bamboleeeero-bamboleeeero

Description

@bamboleeeero-bamboleeeero
bamboleeeero-bamboleeeero
opened on Nov 29, 2016 · edited by tboerger

There seems to be a bunch of inline scripts or style rules such as this that don't play nice with CSP. These should be replaced by a CSS class.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Activity

lunny
added
type/enhancementAn improvement of existing functionality
topic/uiChange the appearance of the Gitea UI
on Nov 29, 2016
tboerger
added this to the 1.x.x milestone on Nov 29, 2016
bkcsoft

bkcsoft commented on Dec 2, 2016

@bkcsoft
bkcsoft
on Dec 2, 2016
Member

Yes, that should be a class, not inline style :)

Eriner

Eriner commented on Dec 11, 2016

@Eriner
Eriner
on Dec 11, 2016
Contributor

As a note: report-uri is a CSP directive that informs the browser where to report violations. Something to consider is providing/setting this directive and ingesting it into gitea to make it available to administrators.

denji

denji commented on Dec 17, 2016

@denji
denji
on Dec 17, 2016 · edited by denji
Contributor

https://github.com/unrolled/secure#content-security-policy

Bwko

Bwko commented on Dec 18, 2016

@Bwko
Bwko
on Dec 18, 2016 · edited by Bwko
Member

I'm currently implementing a Content-Security-Policy but we need style-src: unsafe-inline & script-src: unsafe-eval for semantic ui & jquery datetimepicker.
@bamboleeeero-bamboleeeero any advice on this?

tboerger

tboerger commented on Dec 18, 2016

@tboerger
tboerger
on Dec 18, 2016
Member

We should get rid of all inline crap.

Bwko

Bwko commented on Dec 18, 2016

@Bwko
Bwko
on Dec 18, 2016 · edited by Bwko
Member

@tboerger I'm almost done with that (except for labels) but for tooltips semantic ui needs unsafe-inline 😕

tboerger

tboerger commented on Dec 18, 2016

@tboerger
tboerger
on Dec 18, 2016
Member

Even tooltips can be perfectly done with data attributes and unobtrusive js.

hasufell

hasufell commented on Jun 6, 2018

@hasufell
hasufell
on Jun 6, 2018

any news?

clarfonthey

clarfonthey commented on Jun 23, 2018

@clarfonthey
clarfonthey
on Jun 23, 2018
Contributor

Personally, I would appreciate at least adding a content-security-policy header to Gitea, slowly making it more strict as changes are made. At least things like form-action and frame-ancestors would be nice, which are doable now.

I'd be willing to work on this within the next few days if someone more-acquainted with the codebase isn't up to it!

toth-dev

toth-dev commented on Jun 23, 2018

@toth-dev
toth-dev
on Jun 23, 2018

I'm adding this CSP with nginx:

default-src 'none'; base-uri 'none'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; connect-src 'self'; form-action 'self'

Everything seems to work with this.

hasufell

hasufell commented on Jun 23, 2018

@hasufell
hasufell
on Jun 23, 2018

@totpet interesting, I tried that too and it seems to work so far, but afais mozilla observatory reports this as -20 score, so it seems to be too lax.

clarfonthey

clarfonthey commented on Jun 23, 2018

@clarfonthey
clarfonthey
on Jun 23, 2018
Contributor

As I said, things like frame-ancestors and form-action are really important parts of CSP that we could add for existing gitea. Adding unsafe-inline and unsafe-eval to JavaScript are really bad though, and that pretty much negates everything else.

46 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue/confirmedIssue has been reviewed and confirmed to be present or accepted to be implementedtopic/uiChange the appearance of the Gitea UItype/enhancementAn improvement of existing functionality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @MetroWind@lunny@silverwind@tboerger@techknowlogick

        Issue actions
          Content-Security-Policy · Issue #305 · go-gitea/gitea