On Wed, May 8, 2019 at 8:56 AM Zer0Cool <[email protected]> wrote: > After further testing and messing about I think I have worked out a policy > that does not break anything but will need more testing: > > add_header Content-Security-Policy "default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; object-src 'self'; > frame-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; > font-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors > 'self';" always; > > It seems like "unsafe-inline", "unsafe-eval" and "data:" are required as > seen above for certain parameters for Guac to function properly. > > With the above I am getting a B+ 80/100 score on Mozilla's observatory test > found here: https://observatory.mozilla.org. Due to needing to use the > unsafe parameters, I don't think a higher score is possible. >
I believe you can eliminate "unsafe-inline" for "script-src". That should take you up another notch at observatory.mozilla.org, as will adding "Referrer-Policy" and "X-Frame-Options" headers. Still need to verify that nothing more subtle has broken, but applying these changes brought avocado.glyptodon.com up to 100/100: https://observatory.mozilla.org/analyze/avocado.glyptodon.com Overall: - Guacamole itself requires "data:" for images. - AngularJS depends on "unsafe-inline" for styles and "unsafe-eval" for scripts. It looks like it may be possible to remove at least "unsafe-inline" through minor changes to the webapp, with "unsafe-eval" also possible with a performance penalty: https://code.angularjs.org/1.6.9/docs/api/ng/directive/ngCsp I think everything else can safely be locked down. - Mike
