CSP generation.

An extension which can collect endpoint-provided hints during dispatch and enforce certain minimums.


## Recommendations

* `object-src 'none';` by default.  Flash is dead. Don't be the one to resurrect it.

* Levels of _default security profiles_:

  * **Open** / development mode.  Permit everything.
  * **Restrictive** / diagnostic mode.  Deny virtually everything, with log collection.
  * **Strict.**  Disallow most aspects not required for basic site usage, and only permit the "essentials" from self and in-page.
  * **Safe.**  A reasonable set of default policies.

* Allowed resource sources for CSS, JS, and Fonts collectable during request preparation.


## Resources

* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
* https://www.4armed.com/blog/how-to-create-content-security-policy/
* https://www.chromium.org/updates/same-site


## Sample CSPs

### CEGID / Illico Hodes RITA

```csp
default-src 'self';
img-src *;
script-src 'self' 'unsafe-inline' unpkg.com www.google-analytics.com;
style-src 'self' 'unsafe-inline' unpkg.com fonts.googleapis.com fonts.gstatic.com;
font-src 'self' fonts.googleapis.com fonts.gstatic.com;
object-src 'none';
connect-src 'self' www.google-analytics.com;
```

### Facebook

```csp
default-src * data: blob: 'self';
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';
style-src data: blob: 'unsafe-inline' *;
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
upgrade-insecure-requests;
report-uri https://www.facebook.com/csp/reporting/;
```

### LinkedIn

```csp
default-src *;
connect-src 'self' https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com https://dpm.demdex.net/id https://lnkd.demdex.net/event blob: static.licdn.com static-exp1.licdn.com static-exp2.licdn.com static-exp3.licdn.com media.licdn.com media-exp1.licdn.com media-exp2.licdn.com media-exp3.licdn.com;
img-src data: blob: *;
font-src data: *;
style-src 'unsafe-inline' 'self' static-src.linkedin.com *.licdn.com;
script-src 'report-sample' 'unsafe-inline' 'unsafe-eval' 'self' spdy.linkedin.com static-src.linkedin.com *.ads.linkedin.com *.licdn.com static.chartbeat.com www.google-analytics.com ssl.google-analytics.com bcvipva02.rightnowtech.com www.bizographics.com sjs.bizographics.com js.bizographics.com d.la4-c1-was.salesforceliveagent.com slideshare.www.linkedin.com https://snap.licdn.com/li.lms-analytics/insight.min.js platform.linkedin.com platform-akam.linkedin.com platform-ecst.linkedin.com platform-azur.linkedin.com;
object-src 'none';
media-src blob: *;
child-src blob: lnkd-communities: voyager: *;
frame-ancestors 'self';
report-uri https://www.linkedin.com/platform-telemetry/csp?f=l
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CSP generation. #6

Recommendations

Resources

Sample CSPs

CEGID / Illico Hodes RITA

Facebook

LinkedIn

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CSP generation. #6

Description

Recommendations

Resources

Sample CSPs

CEGID / Illico Hodes RITA

Facebook

LinkedIn

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions