Add more Content-Security-Policy directives

TASVideos · Oct 9, 2024 · 4e28e82 · 4e28e82
1 parent fc2f1f9
commit 4e28e82
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/TASVideos/Extensions/ApplicationBuilderExtensions.cs b/TASVideos/Extensions/ApplicationBuilderExtensions.cs
@@ -46,8 +46,9 @@ public static IApplicationBuilder UseStaticFilesWithExtensionMapping(this IAppli
 		});
 	}
 
-	public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app, IHostEnvironment env)
+	public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app, IHostEnvironment env, AppSettings settings)
 	{
+		var userAgentReportURL = $"{settings.BaseUrl}/Diagnostics/UserAgentInterventionReports";
 		string[] trustedJSHosts = [
 			"https://cdn.jsdelivr.net",
 			"https://cdnjs.cloudflare.com",
@@ -57,7 +58,15 @@ public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app
 			"https://www.youtube.com",
 		];
 		string[] cspDirectives = [
+			"base-uri 'none'", // neutralises the `<base/>` footgun
+			"default-src 'self'", // fallback for other `*-src` directives
+			"font-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // CSS `font: url();` and `@font-face { src: url(); }` will be blocked unless they're from one of these domains (this also blocks nonstandard fonts installed on the system maybe)
+			"form-action 'self'", // domains allowed for `<form action/>` (POST target page)
+			"frame-src 'self' https://www.youtube.com/embed/", // allow these domains in <iframe/>
+			"img-src *", // allow hotlinking images from any domain in UGC (not great)
+			"require-trusted-types-for 'script'", // experimental, but Google seems to be pushing it: should block `HTMLScriptElement.innerHTML = "user.pwn();";`, and similarly block adding in-line scripts as attrs
 			$"script-src 'self' {string.Join(' ', trustedJSHosts)}", // `<script/>`s will be blocked unless they're from one of these domains
+			"style-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // allow `<style/>`, and `<link rel="stylesheet"/>` if it's from our domain or trusted CDN
 			"upgrade-insecure-requests", // browser should automagically replace links to any `http://tasvideos.org/...` URL (in UGC, for example) with HTTPS
 		];
 		var contentSecurityPolicyValue = string.Join("; ", cspDirectives);

diff --git a/TASVideos/Program.cs b/TASVideos/Program.cs
@@ -67,7 +67,7 @@
 	.UseAuthentication()
 	.UseMiddleware<CustomLocalizationMiddleware>()
 	.UseSerilogRequestLogging()
-	.UseMvcWithOptions(app.Environment);
+	.UseMvcWithOptions(app.Environment, settings);
 
 if (app.Environment.IsDevelopment())
 {