Format `Content-Security-Policy` header directives

Question

Format `Content-Security-Policy` header directives

Closed this issue 4 months ago · 4 comments

After implementing the included CSP and running it against e.g. https://csp-evaluator.withgoogle.com/ and others, plus a lot of reading, I came up with:

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "
        default-src 'self' gap:;
        style-src 'self' https://fonts.googleapis.com;
        font-src 'self' data: https://fonts.gstatic.com;
        img-src 'self' data: content:;
        script-src 'nonce-rAnd0m' 'strict-dynamic';
        media-src 'self';
        base-uri 'none';
        form-action 'self';
        frame-ancestors 'none';
        object-src 'none';
        require-trusted-types-for 'script';
        upgrade-insecure-requests"
        "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
</IfModule>

I think that provides a better launch pad for users than the current - both formatting for readability and a more complete list of arguments.

Answer 1 · 2024-03-10T16:22:28.000Z

Thanks for opening this issue @dcog989.
The one-per-line-attribute rule sounds good, would you like to open a pull request?
On their actual values, let's keep them as strict per default for now.

Answer 2 · 2024-03-11T21:29:12.000Z

Hey. Yeah, I'd be happy to do that.

I was also wondering if the project would be interested in a significant reformat of the entire document, which I think could be improved for brevity and clarity. E.g.:

Existing:

"Using `.htaccess` files slows down Apache, therefore, if you have access to the main server configuration file (which is usually called `httpd.conf`), you should add this logic there."

Proposed:

".htaccess slows down Apache so use the main server configuration file (usually `httpd.conf`) if possible."

Also, improve consistency of comments and section formatting using syntax from https://github.com/aaron-bond/better-comments (even if a user doesn't employ that extension, the comments would have useful notation?). E.g.:

Answer 3 · 2024-03-11T21:50:52.000Z

Hey. Yeah, I'd be happy to do that.

Cool, thanks! 👍

I was also wondering if the project would be interested in a significant reformat of the entire document, which I think could be improved for brevity and clarity. E.g.:

Let's stay simple for now, one thing at a time.
Also, .htaccess file is auto-generated, based on the files already in a proper structure.

Also, improve consistency of comments and section formatting using syntax from aaron-bond/better-comments

Interesting project, but this might be overkill for H5BP boilerplate. Let's stay simple here as well 🙂

Answer 4 · 2024-03-11T22:38:26.000Z

OK. Understood. I'll sort out the pull request as specced. :)