Tickets :: Comment on [#13976] Security Headers

* Your Email Address
* Spam protection	Enter the letters below: . ,. ..__ .__ .___. \./ \|\ \|\| \[__) \| \| \| \\|\|__/\| \|
Comment	> It has increasingly become good practice to set a number of security > related http headers. We are currently maintaining our own set of > headers for horde, but I think it would make sense to maintain them > directly within horde and enable by default. Other projects (e.g. > Owncloud) have also begun to do so. > > In detail we propose to add the following headers: > > 1) X-FRAME-OPTIONS: SAMEORIGIN > -> sameorigin is needed for the attachment upload > > 2) X-Content-Type-Options: nosniff > -> no problems encountered > > 3) Content-Security-Policy: default-src 'self'; script-src > 'unsafe-eval' 'unsafe-inline' 'self'; object-src 'self'; style-src > 'unsafe-inline' 'self'; img-src data: 'self'; media-src 'self'; > frame-src 'self'; font-src 'self'; connect-src 'self'; > -> this is fairly restrictive and might break things. E.g. for the > imp "open html in separate window" function we have a different > policy, basically lifting restrictions for img-src and style-src to > allow external elements. I assume other parts of horde would need > similar exceptions. > -> But CSP headers are really, really important and I would love to > see them officially supported! E.g. we where not affected by the > latest XSS in the html editor thanks to them. > -> at least frame, script, object and connect could probably be set > without breaking anything. > > If there is interest but no resources please tell me so, I might be > able to provide a patch.
Attachment
Watch this ticket

Saved Queries