Github user robertkowalski commented on a diff in the pull request:
https://github.com/apache/couchdb/pull/233#discussion_r12857351
--- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
@@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req,
DocumentRoot) ->
handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
+maybe_add_csp_headers(Headers, "false") ->
+ Headers;
+maybe_add_csp_headers(Headers, "true") ->
+ DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
+ "script-src 'self' 'unsafe-eval'; style-src 'self'
'unsafe-inline';",
+ Value = couch_config:get("csp", "header_value", DefaultValues),
+ Headers ++ [{"Content-Security-Policy", Value}].
--- End diff --
@kxepal:
We are shipping a binary for Windows, but this does not mean we have to
support every particular case that runs on Windows for the Webinterface. For
Windows users with Chrome or Firefox the feature just works. Another example
would be our CORS Feature which is not supported by IE 7 and just partially by
IE 8 & IE 9 (source: http://caniuse.com/cors)
And this new feature supports Graceful Degration: for IE users it stays
like it is currently (and it is not that bad, just read further), Fauxton will
keep working for them. We are supporting the W3C Standard and every browser
which implements it, can make use of it.
Because we are supporting standarts, and not supporting proprietary
technology these technologies will hopefully make more use of open web
standarts in the future - supporting them means that these technologies will
stay longer on the market and stick with long release/update cycles.
If we are talking about http://www.w3.org/TR/CSP11/ and the reflected-xss
directive the spec reads for me that the directive is just an equivalent to
X-XSS-Protection and not exactly the same header that is standarized for old
browsers. They are just creating a kind of mapping which is meant to subsume
the functionality of X-XSS-Protection which works in another way than the
Content-Security-Policy header (I think it is used in IE to disable the default
XSS protection). Regarding the IE8 and upwards the docs of MSDN says: "Internet
Explorer 8 included a novel new feature to help prevent reflected cross-site
scripting attacks, known as the XSS Filter. This filter runs by default in the
Internet, [...]" (source:
http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx),
and that would mean that it is enabled by default. As we do not send something
to disable it, everything should be fine as they a
re implementing their own proprietary XSS filter that is enabled by default.
In the end this would mean that IE > 8 has an own implementation of XSS
filters and that would mean that we have to do nothing here.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
