Follow-up to #2510104: Remove inline JS for Drupal setttings to enable CSP
Problem/Motivation
Content security policy is a browser feature available that helps prevent XSS attacks based on headers sent by the site.
For CSP spec see: http://www.w3.org/TR/CSP/
https://www.owasp.org/index.php/Content_Security_Policy
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Inline JS is not compatible with enabling a reasonable secure content security policy, so this issue is postponed until the Drupal settings are fixed in the related issue
Proposed resolution
Implement a basic and reasonably secure CSP header for Drupal core, such as
Content-Security-Policy: default-src 'self'; frame-ancestors 'self';
X-Frame-Options: SAMEORIGINPossibly (or as a follow-up or in contrib): Add a callback to receive and log CSP violation reports to watchdog. e.g. with CSP report-uri directive like:
Content-Security-Policy: default-src 'self'; frame-ancestors 'self'; report-uri /system/csp-report-logger;Likely this reporting should be supported only as a something that can be temporarily enabled for debugging. It has obvious potential for abuse (DoS attacks, bogus data, etc) such as outlined at https://www.virtuesecurity.com/blog/abusing-csp-violation-reporting/
Remaining tasks
Implement
User interface changes
Possibly an admin page to configure some aspects of the CSP (optional for 8.0.x)
API changes
API addition to allow modules to alter or add to the CSP header for each page/or response event.
Beta phase evaluation
| Issue category | Task because it is security hardening. |
|---|---|
| Issue priority | Major because CSP is an important security practice. |
| Prioritized changes | The main goal of this issue are security improvements. |
| Disruption | Likely not disruptive for contributed modules - unless they embed iframe or load 3rd party JS. |