Skip to content

Commit 16540a0

Browse files
Set basic Content Security Policy (#2877)
This PR adds a primitive [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) as another layer of protection against XSS attacks. While a nonce- or hash-based approach is the ultimate goal, some of the legacy Javascript needs to be refactored before that is realistic. As a basic starting point, this PR blocks all access to cross-origin scripts since CDash itself never uses scripts from a 3rd-party source. This protects against one of the most common XSS attack vectors: small segments of malicious code which download a malicious payload from external sites.
1 parent 42a7ea4 commit 16540a0

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

public/.htaccess

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,6 @@
2424
<FilesMatch "\.(css|js|svg|gif|png)$">
2525
Header set Cache-Control "max-age=31536000"
2626
</FilesMatch>
27+
28+
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:"
2729
</IfModule>

0 commit comments

Comments
 (0)