Add default CSP

[fwenzel]

What?

Add a default CSP that allows anything from the local domain, plus inline styles, data: URIs, and no framing. Plus, a referrer policy that will send a full Referer header to the local origin (thus, not mess with stats etc.), but truncate to strict origin when browsing across origins.

Why?

Including reasonable defaults here for both security and privacy will do the fediverse much good.

I am open to suggestions on what would be a better default. For instance, unsafe-inline for styles bugs me a little but if not, we are breaking emoji as currently implemented, for instance. Similar reasoning goes for data URIs.

Also note that this CSP won't work like this with multi-server / CDN deployments, but I reckon a person who can set up a CDN can figure out how to tweak the CSP.

[dariusk]

I can't comment on the specific settings here but could we get something similar for the alternative Apache configuration?

[fwenzel]

Sure, though I don't use Apache.

[dariusk]

Looks like it should be set as so in httpd.conf or .htaccess for Apache:

Header set Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data:; media-src 'self' data:; connect-src 'self' wss:https://example.com; font-src 'self'; frame-ancestors 'none'; manifest-src 'self';"
Header always set Referrer-Policy "strict-origin-when-cross-origin";

This is cobbled together from here and here, so I'm not sure if always ought to be set on both. (The alwaysmeans that it applies to all headers, even unsuccessful responses.)

[wxcafe]

This looks good, but I believe it won't work if you have an instance silenced and you reject their media files : your users won't be able to load them. Should probably add img-src https: and media-src https:

[nolanlawson]

FWIW we've been using this config on toot.cafe for the past week or so and it's been working well:

add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; object-src 'self'; media-src 'self'; connect-src 'self' wss:https://toot.cafe; upgrade-insecure-requests";

One thing that's a bit unsatisfying is that we get a Mozilla Observatory score of A- because of script-src 'unsafe-inline', but apparently this is required or else Firefox shows an error in the console… Seems it would need a Mastodon code change to fix.

[wxcafe]

As I said, yeah, okay, but if you silence a domain and reject their media files this won't work.

[fwenzel]

"script-src 'unsafe-inline'", don't do that. Why would you do that? That's pretty much the main reason why CSP (the standard) exists, to keep unsafe user-entered text from being executed as inline script.

[fwenzel]

I am closing this in favor of #204, we don't need two PRs.