Skip to content
This repository was archived by the owner on Mar 13, 2025. It is now read-only.

CSP Enabled Verification #20

Open
RishiRajSahu opened this issue Jun 3, 2021 · 1 comment
Open

CSP Enabled Verification #20

RishiRajSahu opened this issue Jun 3, 2021 · 1 comment
Assignees
@RishiRajSahu

Comments

@RishiRajSahu
Copy link

As reported by security tools we need to remove the unsafe- directives from CSP header in order comply with security policies as this directive makes the CSP too permissive

Code Link : https://github.com/topcoder-platform/micro-frontends-frame/blob/dev/src/index.ejs#L23
Atlassian link - https://topcoder.atlassian.net/browse/VULN-2201

fyi @urwithat @mtwomey
@RishiRajSahu RishiRajSahu self-assigned this Jun 3, 2021
@RishiRajSahu RishiRajSahu changed the title Remove unsafe directives from CSP header Adding CSP for MFE apps Nov 11, 2021
@RishiRajSahu
Copy link
Author

this is the least permissive CSP header for https://platform.topcoder-dev.com
default-src 'none'; base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://js.stripe.com https://w.chatlio.com https://static.filestackapi.com https://s7.addthis.com https://z.moatads.com https://v1.addthisedge.com https://m.addthis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://w.chatlio.com https://static.filestackapi.com; img-src * data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.topcoder-dev.com https://community-app.topcoder-dev.com https://*.filestackapi.com https://*.s3.amazonaws.com https://www.topcoder-dev.com https://api.chatlio.com https://api-cdn.chatlio.com https://raw.githubusercontent.com http://api.topcoder.com https://petstore.swagger.io http://petstore.swagger.io; frame-src https://accounts-auth0.topcoder-dev.com https://js.stripe.com https://s7.addthis.com; media-src https://w.chatlio.com; frame-ancestors none; form-action 'self';
For production platform.topcoder.com, this is the CSP header (replace topcoder-dev with topcoder)
default-src 'none'; base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://js.stripe.com https://w.chatlio.com https://static.filestackapi.com https://s7.addthis.com https://z.moatads.com https://v1.addthisedge.com https://m.addthis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://w.chatlio.com https://static.filestackapi.com; img-src * data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.topcoder.com https://community-app.topcoder.com https://*.filestackapi.com https://*.s3.amazonaws.com https://www.topcoder.com https://api.chatlio.com https://api-cdn.chatlio.com https://raw.githubusercontent.com http://api.topcoder.com https://petstore.swagger.io http://petstore.swagger.io; frame-src https://accounts-auth0.topcoder.com https://js.stripe.com https://s7.addthis.com; media-src https://w.chatlio.com; frame-ancestors none; form-action 'self';

@RishiRajSahu RishiRajSahu changed the title Adding CSP for MFE apps CSP Enabled Verification Nov 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@RishiRajSahu RishiRajSahu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RishiRajSahu