Hi again, I propose to add the following HTTP headers to all Tails web pages (it's sufficient to send these for HTTP responses for "Content-Type: text/html" only, though applying it globally doesn't hurt):
X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' tails.boum.org *.tails.boum.org; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src *; media-src *; object-src 'self'; frame-src 'self'; frame-ancestors 'self'; child-src 'self'; reflected-xss block; (Newlines were added to improve readability only.) Reasoning and links to documentation: X-Frame-Options: Prevents content hosted on tails.boum.org to be embedded in an (I)FRAME on other web sites (such as as part of a click-jacking or phishing attack. Interpreted by Firefox, Chrome, Internet Explorer, Opera, Safari. http://tools.ietf.org/html/rfc7034 X-XSS-Protection: Instructs Internet Explorer 8+ to use its internal XSS filter (which is mostly broken but makes use for this part) to block reflective XSS. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx https://www.owasp.org/index.php/List_of_useful_HTTP_headers X-Content-Type-Options: Instructs Internet Explorer 8+ to not use content sniffing, a method similar to running GNU file (with MIME magic) on any downloaded content as a means of determining its content (and how it should be handled / parsed), overriding the Content-Type header sent by the webserver. I.e. a very silly idea in the first place, that's been in use by IE for years. http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx Content-Security-Policy: A measure to prevent XSS and other attacks. This one can be problematic if you tend to rely on remotely hosted content other than images and HTML5 audio/video. There are means to have browsers notify you when they run into situations where their interpretation of your sites' CSP restricts them from loading page content, though. And luckily the web pages on tails.boum.org do not seem to depend on much or any remotely hosted content, so you should be in one of the best imaginable positions to apply a CSP. Interpreted by Firefox, Chrome, Opera, Safari. http://www.w3.org/TR/CSP/ http://www.w3.org/TR/2014/WD-CSP11-20140211/ https://www.owasp.org/index.php/Content_Security_Policy https://github.com/oxdef/csp-tester http://developer.chrome.com/extensions/contentSecurityPolicy I'd be happy to discuss these in more detail with anyone interested in applying them. Especially the CSP header may require a closer look. I think it's worth the effort for this website, though. These headers should be reviewed about a year from now since hopefully more of them will be standardized and implemented by then. Namely X-Frame-Options and X-XSS-Protection should have been included into CSP at this time, and CSP 1.1 should be finalized (deprecating some elements of 1.0 I'm suggesting to use above). (On a side note, I'm now subscribed to tails-dev and should get to see any further discussion on this topic). Alster
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
