This repository has been archived by the owner on Jun 24, 2024. It is now read-only.
[WIP] Adds secure_headers & Content-Security-Policy to Classroom #1166
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
👋 I was taking a look at Classroom as part of the appsec-review process and, while this PR does not address a specific known vulnerability, adding the secureheaders gem and configuring Content-Security-Policy (CSP) Headers will help mitigate any available client-side attacks and those which may occur in the future.
This is a WIP PR b/c I have a few concerns on the best way to integrate secureheaders and handle some issues that came up:
Questions:
config/application.rb
file or should it get broken out into it's own file?jquery-datetimepicker-rails
gem?jquery-datepicker-rails
isv2.4.1.0
and it contains an outdated version of jQuery DateTimePicker plugin. This outdated version relies oneval
which it's newest releasev2.5.4
does not.unsafe-eval
jquery-datepicker-rails
= require_tree .
, which pulls in thehttps://www.youtube.com/iframe_api
.pages.js
file on the homepage.Next Steps:
If ya'll have a sec to answer these questions, I would be happy to fix up this PR. 👍
/cc @gregose