SM Lacks Content Security Policy

[scriptsrc]

After setting the CSP headers and replacing main.dart.js with main.dart.precompiled.js, the application breaks:

"Deprecation: Automatic generation of output for Content Security Policy is deprecated and will be removed with the next development
release. Use the --csp option to generate CSP restricted output. "

and then failed with this:

main.dart.precompiled.js::83551
append$1: [function(receiver, newChild) {
      return receiver.appendChild(newChild);
      ^^ Refused to execute inline script because it violates the following Content Security         Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

The javascript builder doesn't yet accept a --csp flag. Florian asked that I open an issue in the Dart project to track the problem. I'll link to the dart issue once I have created it. Could also be an issue in the Security Monkey searchpage view, as that file does contain a script element:

<script src="js/searchpage.js">
</script>

[blois]

Workaround is to use pub build --mode=debug then manually compile dart2js. Downside is that this is slow, as it'll compile dart2js twice.

I believe this is dart bug https://code.google.com/p/dart/issues/detail?id=19465

[scriptsrc]

Will investigate this module to add CSP support and make the site load faster:

https://pub.dartlang.org/packages/dart_to_js_script_rewriter

[scriptsrc]

Filed an inline-style CSP issue with the Polymer webcomponents package that security_monkey relies on.

webcomponents/webcomponentsjs#188

[scriptsrc]

Filed an inline-style CSP issue with the AngularDart.ui package that security_monkey relies on.

akserg/angular.dart.ui#144

[scriptsrc]

Filed an inline-style CSP issue with the AngularDart package that security_monkey relies on.

dart-archive/angular.dart#1666

This affects any Angular Component providing a CssUrl and using the shadowDom. If I don't see any updates on that issue, I'll set useShadowDom: false on all security_monkey components.

[scriptsrc]

The develop branch is now CSP compatible.

Add these headers to your nginx config:

add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=631138519";
add_header Content-Security-Policy "default-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self' ajax.googleapis.com; style-src 'self' fonts.googleapis.com; report-uri https://some-report-uri";

[scriptsrc]

Closing with develop branch commit 4d6167c