secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Remove logic that modifies policies in unexpected ways?

Open oreoshake opened this issue 7 years ago • 2 comments

One of the features of secure_headers is that it will do a lot to shrink the size of a complicated policy:

  • Using child-src/frame-src based on bug from 2 years ago
  • Removing protocols
  • Deduping hosts
  • Discard trailing entries (excluding unsafe-*) since * accomplishes the same.
  • Discard any 'none' values if more directives are supplied since none may override values.
  • Removes duplicates and sources that already match an existing wild card.
  • Removes unsupported directives

But most of all, it leads to confusing output that sometimes actually prevents you from using CSP correctly.

What are the motivations for policy minifying?

  • So humans can grok it?
  • To save a few bytes?

I know Scott Helme recently published a blog post about twitter's monstrous CSP and how it could be minified. I think it's the place of this library to suggest improvements but not magically manipulate them with a few hundred lines of ruby code (no matter how well commented :smile).

So, how about modifying policies we can turn on some sort of dynamic linting, maybe that logs or raises exceptions in dev/test but is turned off in prod?

oreoshake avatar Jan 24 '18 19:01 oreoshake

I think there are a couple more ways we might want to further break this down for discussion. I would propose looking at policy shrinking vs. policy compatibility. For instance, we could probably just output an info log entry for things like wildcard overriding matching hosts (which while annoying to duplicate might not actually break things) whereas things like removing protocols could be treated as a compatibility issue, primarily Safari, since they have the power to cause a massive influx of traffic for your reporting endpoint.

If evaluating how to shrink the policy is something this library would like to assist with, perhaps a separate rake task or gem could help? I did start something like this a while back (jacobbednarz/csp-validator) which didn't get too far since at that job the focus switched from CSP to other internal initiatives but I'm sure we could achieve something far more in depth with the help of yourself and other users.

jacobbednarz avatar Jan 24 '18 21:01 jacobbednarz

I’m more focused on removing brittle code than shrinking a policy. I like the idea of using something else to suggest optimizations.

oreoshake avatar Jan 25 '18 00:01 oreoshake