From eb803aae14d733c566a816197ff6eb91ef2a0143 Mon Sep 17 00:00:00 2001 From: rugk Date: Thu, 1 Sep 2016 21:00:53 +0200 Subject: [PATCH 1/3] Prevent referrer from being send --- public/.htaccess | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/public/.htaccess b/public/.htaccess index 8daf711..81a008d 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -1,5 +1,5 @@ # Content Security Policy-Headers # you have to enable apache module headers to get them working -#Header set Content-Security-Policy "default-src 'self';" -#Header set X-Content-Security-Policy "default-src 'self';" -#Header set X-Webkit-CSP "default-src 'self';" +#Header set Content-Security-Policy "default-src 'self'; referrer no-referrer;" +#Header set X-Content-Security-Policy "default-src 'self'; referrer no-referrer;" +#Header set X-Webkit-CSP "default-src 'self'; referrer no-referrer;" From e97c666458e72a444d6d5ff32c658709184a35e4 Mon Sep 17 00:00:00 2001 From: rugk Date: Fri, 2 Sep 2016 21:35:55 +0200 Subject: [PATCH 2/3] Improve CSP header & add Referrer-Policy --- app/index.html | 1 + public/.htaccess | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/index.html b/app/index.html index 4b4c650..abf210a 100644 --- a/app/index.html +++ b/app/index.html @@ -5,6 +5,7 @@ + {{content-for 'head'}} diff --git a/public/.htaccess b/public/.htaccess index 81a008d..8604701 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -1,5 +1,5 @@ # Content Security Policy-Headers # you have to enable apache module headers to get them working -#Header set Content-Security-Policy "default-src 'self'; referrer no-referrer;" -#Header set X-Content-Security-Policy "default-src 'self'; referrer no-referrer;" -#Header set X-Webkit-CSP "default-src 'self'; referrer no-referrer;" +#Header set Content-Security-Policy "default-src 'self'; referrer no-referrer; object-src 'none'; frame-anchors 'none';" +#Header set X-Content-Security-Policy "default-src 'self'; referrer no-referrer; object-src 'none'; frame-anchors 'none';" +#Header set X-Webkit-CSP "default-src 'self'; referrer no-referrer; object-src 'none'; frame-anchors 'none';" From 1dd23ab59b28fb770e8c45a9b337256094880952 Mon Sep 17 00:00:00 2001 From: rugk Date: Sat, 3 Sep 2016 16:26:57 +0200 Subject: [PATCH 3/3] Bring dev and stable CSP header in sync Uses the most secure combination of these two. --- config/environment.js | 3 ++- public/.htaccess | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/environment.js b/config/environment.js index 7e18379..cf242e1 100644 --- a/config/environment.js +++ b/config/environment.js @@ -19,7 +19,8 @@ module.exports = function(environment) { 'connect-src': "'self'", 'img-src': "'self'", 'style-src': "'self'", - 'media-src': "'self'" + 'media-src': "'self'", + 'referrer': "no-referrer" }, EmberENV: { diff --git a/public/.htaccess b/public/.htaccess index 8604701..3ece971 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -1,5 +1,5 @@ # Content Security Policy-Headers # you have to enable apache module headers to get them working -#Header set Content-Security-Policy "default-src 'self'; referrer no-referrer; object-src 'none'; frame-anchors 'none';" -#Header set X-Content-Security-Policy "default-src 'self'; referrer no-referrer; object-src 'none'; frame-anchors 'none';" -#Header set X-Webkit-CSP "default-src 'self'; referrer no-referrer; object-src 'none'; frame-anchors 'none';" +#Header set Content-Security-Policy "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; referrer no-referrer;" +#Header set X-Content-Security-Policy "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; referrer no-referrer;" +#Header set X-Webkit-CSP "default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; referrer no-referrer;"