couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [47/50] documentation commit: updated refs/heads/import-master to fe7f7bf
Date Thu, 10 Jul 2014 09:47:46 GMT
Add Experimental Content-Security-Policy-Support (CSP) for Fauxton

Like every web application, Fauxton is vulnerable against XSS and
CSP is a technology that tries to help against that.

The patch makes it possible to enable CSP for the /_utils path and
allows configuration of the sent header.

The default setting for the value of the header breaks the old
Futon, when CSP is enabled there. The old Futon has alot of
inline-JavaScript which is not allowed in the setting I have
chosen as default.

For development, the header is also sent from the Node server
which launches Fauxton in dev-mode.

People can enable the feature by setting enable = true in the
section [csp] of their configs


Project: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/commit/c89106ed
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/tree/c89106ed
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-documentation/diff/c89106ed

Branch: refs/heads/import-master
Commit: c89106edf7cd358e0779ac216b7d1318a8a6b914
Parents: 679af60
Author: Robert Kowalski <rok@kowalski.gd>
Authored: Sat May 17 18:37:30 2014 +0200
Committer: Robert Kowalski <rok@kowalski.gd>
Committed: Mon Jun 9 19:09:06 2014 +0200

----------------------------------------------------------------------
 src/config/misc.rst  | 24 ++++++++++++++++++++++++
 src/experimental.rst | 15 +++++++++++++++
 2 files changed, 39 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-documentation/blob/c89106ed/src/config/misc.rst
----------------------------------------------------------------------
diff --git a/src/config/misc.rst b/src/config/misc.rst
index 58d079c..e97575a 100644
--- a/src/config/misc.rst
+++ b/src/config/misc.rst
@@ -232,3 +232,27 @@ Vendor information
     [vendor]
     name = The Apache Software Foundation
     version = 1.5.0
+
+.. _config/csp:
+
+Content-Security-Policy
+=======================
+
+.. config:section:: csp :: Content-Security-Policy
+
+  Experimental support of CSP Headers for ``/_utils`` (Fauxton).
+
+  .. config:option:: enable
+
+    Enable the sending of the Header ``Content-Security-Policy``::
+
+      [csp]
+      enable = true
+
+
+  .. config:option:: header_value
+
+    You can change the default value for the Header which is sent::
+
+      [csp]
+      header_value = default-src 'self'; img-src *; font-src *;

http://git-wip-us.apache.org/repos/asf/couchdb-documentation/blob/c89106ed/src/experimental.rst
----------------------------------------------------------------------
diff --git a/src/experimental.rst b/src/experimental.rst
index 3157f53..fae925c 100644
--- a/src/experimental.rst
+++ b/src/experimental.rst
@@ -81,3 +81,18 @@ Plugins
 See `src/couch_plugins/README.md`.
 
 
+Content-Security-Policy (CSP) Header Support for /_utils (Fauxton)
+==================================================================
+
+This will just work with Fauxton, and not Futon. You can enable it
+in your config: you can enable the feature in general and change
+the default header that is sent for everything in /_utils.
+
+    .. code-block:: ini
+
+      [csp]
+      enable = true
+
+Then restart CouchDB.
+
+Have fun!


Mime
View raw message