Going forward with CSP · PrivateBin/PrivateBin#108

(7 comments) (2 reactions) (0 assignees)PHP (4,616 stars) (627 forks)batch import

enhancementhelp wantedsecurity/privacy

Description

Google has just released a CSP testing tool and some more detailed information about CSP.

They mention some interesting things:

There is a new 'strict-dynamic' being created.
unsafe-inline can always be used as a fallback for older browsers supporting only CSPv2. CSPv3-compliant browsers will ignore this if strict-dynamic, nonces or hashes are used.
They do discourage the use of 'self' in script-src as it can be bypassed in certain cases.

In CSPv3 you can AFAIK also define subdirectories (privatebin.org/scripts), which could be another way to strengthen our policy. However in this case there might be compatibility issues.

So together with https://github.com/PrivateBin/PrivateBin/issues/82 this might be an issue we can address in the future when CSP has further developed itself :smiley:

Contributor guide

Tech stack: javascripthtmlcss
Domain: securityfrontend
Issue type: security
Difficulty: 3
Estimated time: 1-2 days
Activity status: stale
Clarity: needs investigation
Prerequisites: Knowledge of Content Security Policy (CSP)Familiarity with HTTP headersPHP development environment
Newbie friendliness: 20
Research direction: The issue discusses implementing strict CSP directives like 'strict dynamic' and nonces, and avoiding 'self' in script src. Research the current CSP headers in PrivateBin (likely in src/Configuration.php or similar). Propose a new CSP policy using a nonce or hash, test with Google's CSP evaluator, and consider compatibility with older browsers. The main deliverable is a pull request that updates the CSP header in the PHP configuration.