Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 22:13, 6 January 2016
, 6 January 2016added contribute.json to the standard
(formatting) |
(added contribute.json to the standard) |
||
| Line 133: | Line 133: | ||
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site. | The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site. | ||
Note that disabling inline JavaScript means that <em>all</em> JavaScript must be loaded from <tt><script></tt> src tags . Event handlers such as <em>onclick</em> used directly on a tag will fail to work, as will JavaScript inside <tt><script></tt> tags but not loaded via src. Furthermore, inline stylesheets using either <tt><style></tt> tags or the style attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement. | Note that disabling inline JavaScript means that <em>all</em> JavaScript must be loaded from <tt><script></tt> src tags . Event handlers such as <em>onclick</em> used directly on a tag will fail to work, as will JavaScript inside <tt><script></tt> tags but not loaded via <tt>src</tt>. Furthermore, inline stylesheets using either <tt><style></tt> tags or the <tt>style</tt> attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement. | ||
== Implementation Notes == | == Implementation Notes == | ||
| Line 172: | Line 172: | ||
* [http://www.cspplayground.com/ Content Security Policy Playground] | * [http://www.cspplayground.com/ Content Security Policy Playground] | ||
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard] | * [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard] | ||
= contribute.json = | |||
<tt>contribute.json</tt> is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute. <tt>contribute.json</tt> is a Mozilla standard used to describe all active Mozilla websites and projects. | |||
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, <tt>contribute.json</tt> is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects. | |||
== Examples == | |||
<pre>{ | |||
"name": "Bedrock", | |||
"description": "The app powering www.mozilla.org.", | |||
"repository": { | |||
"url": "https://github.com/mozilla/bedrock", | |||
"license": "MPL2", | |||
"tests": "https://travis-ci.org/mozilla/bedrock/" | |||
}, | |||
"participate": { | |||
"home": "https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org", | |||
"docs": "http://bedrock.readthedocs.org/", | |||
"mailing-list": "https://www.mozilla.org/about/forums/#dev-mozilla-org", | |||
"irc": "irc://irc.mozilla.org/#www", | |||
"irc-contacts": [ | |||
"someperson1", | |||
"someperson2", | |||
"someperson3" | |||
] | |||
}, | |||
"bugs": { | |||
"list": "https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org", | |||
"report": "https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org", | |||
"mentored": "https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&o1=isnotempty | |||
&query_format=advanced&bug_status=NEW&product=www.mozilla.org&list_id=10866041" | |||
}, | |||
"urls": { | |||
"prod": "https://www.mozilla.org", | |||
"stage": "https://www.allizom.org", | |||
"dev": "https://www-dev.allizom.org", | |||
"demo1": "https://www-demo1.allizom.org", | |||
}, | |||
"keywords": [ | |||
"python", | |||
"less-css", | |||
"django", | |||
"html5", | |||
"jquery" | |||
] | |||
}</pre> | |||
== See Also == | |||
* [https://www.contributejson.org/ The contribute.json Standard] | |||
| Line 439: | Line 492: | ||
| Mandatory | | Mandatory | ||
| All cookies must be set with Secure, and set as restrictively as possible | | All cookies must be set with Secure, and set as restrictively as possible | ||
|- style="background-color: #9EDB58;" | |||
| [[#contribute.json|<span style="color: black;">contribute.json</span>]] | |||
| Mandatory for all websites | |||
| Websites should serve contribute.json and keep contact information up-to-date | |||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | ||