Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure HTTP headers are applied to the correct Content-Type #187

Closed
Malvoz opened this issue May 1, 2019 · 6 comments
Closed

Ensure HTTP headers are applied to the correct Content-Type #187

Malvoz opened this issue May 1, 2019 · 6 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@Malvoz
Copy link
Contributor

Malvoz commented May 1, 2019
edited
Loading

It was brought to my attention that for example, the CSP header should be sent for other resources such as XML and workers.

(While we could send any given HTTP header in all responses, it'll contribute to header bloat, and for other headers it may even cause issues)

w3c/webappsec#520
webhintio/hint#2342
@LeoColomb
Copy link
Member

Well, let's see the conclusions of these issues before concrete action.
I look forward to webhint answer.

@LeoColomb LeoColomb added awaiting feedback Further information is requested enhancement New feature or request labels May 1, 2019
@Malvoz Malvoz mentioned this issue May 2, 2019
Open
@Malvoz Malvoz mentioned this issue May 23, 2019
Closed
@Malvoz
Copy link
Contributor Author

Malvoz commented Jul 25, 2019
edited
Loading

webhint.io settled on setting CSP for text/html|text/xml|application/xhtml+xml|text/javascript|application/pdf|image/svg+xml in webhintio/hint#2618, because these types are all able to execute scripts within their context (except for JS, but it's the easiest way to set CSP for workers).

So adjusting the pattern to match the types in /media_types/ change text/xml to application/xml.

which results in:
text/html|application/xml|application/xhtml+xml|text/javascript|application/pdf|image/svg+xml

However application/pdf is currently not handled by media_types.conf. Should it be? IMO yes.

@LeoColomb
Copy link
Member

OK.

text\/(html|javascript)|application\/pdf|xml

is sufficient or are false positives for other xml relative types undesirable?

@Malvoz
Copy link
Contributor Author

Malvoz commented Jul 26, 2019
edited
Loading

Covering all cases of XML is certainly better - why not? great!

@LeoColomb
Copy link
Member

Alright. Can't wait for your PR! 😉

@LeoColomb LeoColomb added help wanted Extra attention is needed and removed awaiting feedback Further information is requested labels Jul 27, 2019
Malvoz added a commit to Malvoz/server-configs-apache that referenced this issue Jul 28, 2019
@Malvoz
Expand responses to include CSP (per h5bp#187)
d61d289
@Malvoz Malvoz mentioned this issue Jul 28, 2019
Merged
LeoColomb added a commit to h5bp/server-configs-nginx that referenced this issue Jul 31, 2019
@LeoColomb
Expand responses to include CSP
cb0e44d 
Ref: h5bp/server-configs-apache#187
LeoColomb pushed a commit that referenced this issue Oct 25, 2019
@Malvoz @LeoColomb
Expand responses to include CSP (per #187) (#200)
d656422 
* Expand responses to include CSP (per #187)

* Bump server-config-test to 1.2.0
This was referenced Nov 6, 2019
Open
Merged
LeoColomb added a commit to h5bp/server-configs-nginx that referenced this issue Apr 10, 2020
@LeoColomb
Expand responses to include CSP
a22ac9e 
Ref: h5bp/server-configs-apache#187
@LeoColomb
Copy link
Member

Closed via #200

LeoColomb added a commit to h5bp/server-configs-nginx that referenced this issue Apr 13, 2020
@LeoColomb
Expand responses to include CSP
d691c7c 
Ref: h5bp/server-configs-apache#187
LeoColomb added a commit to h5bp/server-configs-nginx that referenced this issue Apr 13, 2020
@LeoColomb
Expand responses to include CSP
d5340ab 
Ref: h5bp/server-configs-apache#187
LeoColomb added a commit to h5bp/server-configs-nginx that referenced this issue Apr 13, 2020
@LeoColomb
Expand responses to include CSP
4168940 
Ref: h5bp/server-configs-apache#187
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LeoColomb @Malvoz