[Tickets #13976] Security Headers
noreply at bugs.horde.org
noreply at bugs.horde.org
Fri May 1 10:08:07 UTC 2015
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: https://bugs.horde.org/ticket/13976
------------------------------------------------------------------------------
Ticket | 13976
Created By | o+horde at immerda.ch
Summary | Security Headers
Queue | Horde Groupware
Version | 5.2.6
Type | Enhancement
State | New
Priority | 1. Low
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
o+horde at immerda.ch (2015-05-01 10:08) wrote:
It has increasingly become good practice to set a number of security
related http headers. We are currently maintaining our own set of
headers for horde, but I think it would make sense to maintain them
directly within horde and enable by default. Other projects (e.g.
Owncloud) have also begun to do so.
In detail we propose to add the following headers:
1) X-FRAME-OPTIONS: SAMEORIGIN
-> sameorigin is needed for the attachment upload
2) X-Content-Type-Options: nosniff
-> no problems encountered
3) Content-Security-Policy: default-src 'self'; script-src
'unsafe-eval' 'unsafe-inline' 'self'; object-src 'self'; style-src
'unsafe-inline' 'self'; img-src data: 'self'; media-src 'self';
frame-src 'self'; font-src 'self'; connect-src 'self';
-> this is fairly restrictive and might break things. E.g. for the imp
"open html in separate window" function we have a different policy,
basically lifting restrictions for img-src and style-src to allow
external elements. I assume other parts of horde would need similar
exceptions.
-> But CSP headers are really, really important and I would love to
see them officially supported! E.g. we where not affected by the
latest XSS in the html editor thanks to them.
-> at least frame, script, object and connect could probably be set
without breaking anything.
If there is interest but no resources please tell me so, I might be
able to provide a patch.
More information about the bugs
mailing list