Add Content Security Policy headers
Bug #822950 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Fix Released
|
Low
|
François Marier |
Bug Description
To help limit the damage that content injection (e.g. XSS) could cause, Libravatar could expose the X-Content-
It's built into Firefox 4 and later.
https:/
https:/
https:/
Also see bug #769738 for a similar type of browser-enforced security checks.
description: | updated |
Changed in libravatar: | |
status: | In Progress → Fix Committed |
Changed in libravatar: | |
status: | Fix Committed → Fix Released |
tags: | added: csp |
To post a comment you must log in.
This looks like a reasonable default policy:
X-Content- Security- Policy: "allow 'self'; options inline-script; img-src 'self' http:// cdn.libravatar. org https:/ /seccdn. libravatar. org data:"
(see https:/ /developer. mozilla. org/en/ Security/ CSP/CSP_ policy_ directives for the details)
However, these pages need exceptions:
- tools/check: needs to allow any third-party images import_ photo: needs to allow Gravatar and Identi.ca images
- account/