couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robertkowalski <...@git.apache.org>
Subject [GitHub] couchdb pull request: Add Experimental Content-Security-Policy-Sup...
Date Tue, 20 May 2014 17:42:44 GMT
Github user robertkowalski commented on a diff in the pull request:

    https://github.com/apache/couchdb/pull/233#discussion_r12857351
  
    --- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
    @@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
     handle_utils_dir_req(Req, _) ->
         send_method_not_allowed(Req, "GET,HEAD").
     
    +maybe_add_csp_headers(Headers, "false") ->
    +    Headers;
    +maybe_add_csp_headers(Headers, "true") ->
    +    DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
    +                    "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
    +    Value = couch_config:get("csp", "header_value", DefaultValues),
    +    Headers ++ [{"Content-Security-Policy", Value}].
    --- End diff --
    
    @kxepal:
    
    We are shipping a binary for Windows, but this does not mean we have to support every
particular case that runs on Windows for the Webinterface. For Windows users with Chrome or
Firefox the feature just works. Another example would be our CORS Feature which is not supported
by IE 7 and just partially by IE 8 & IE 9 (source: http://caniuse.com/cors)
    
    And this new feature supports Graceful Degration: for IE users it stays like it is currently
(and it is not that bad, just read further), Fauxton will keep working for them. We are supporting
the W3C Standard and every browser which implements it, can make use of it.
    
    Because we are supporting standarts, and not supporting proprietary technology these technologies
will hopefully make more use of open web standarts in the future - supporting them means that
these technologies will stay longer on the market and stick with long release/update cycles.
    
    If we are talking about http://www.w3.org/TR/CSP11/ and the reflected-xss directive the
spec reads for me that the directive is just an equivalent to X-XSS-Protection and not exactly
the same header that is standarized for old browsers. They are just creating a kind of mapping
which is meant to subsume the functionality of X-XSS-Protection which works in another way
than the Content-Security-Policy header (I think it is used in IE to disable the default XSS
protection). Regarding the IE8 and upwards the docs of MSDN says: "Internet Explorer 8 included
a novel new feature to help prevent reflected cross-site scripting attacks, known as the XSS
Filter. This filter runs by default in the Internet, [...]" (source: http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx),
and that would mean that it is enabled by default. As we do not send something to disable
it, everything should be fine as they a
 re implementing their own proprietary XSS filter that is enabled by default.
    
    In the end this would mean that IE > 8 has an own implementation of XSS filters and
that would mean that we have to do nothing here.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message