Re: Content Security Policy Headers
I should have been more specific. I have a security person who wants us to remove the unsafe-inline for the javascript. This has taken up so much of my focus that I forget all about the rest of it. To pull off the removal of the unsafe-inline you have to use hashes for the javascript or a nonce that changes every time you request the page. This is where my mind starts to explode. -- Jason On Fri, Jan 10, 2020, at 2:13 PM, Daniel Klco wrote: > Jason, > > Rather than putting the headers in Sling, I'd recommend supplying the CSP > in your caching (httpd etc) layer. Something like this: > > Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"; > >Header set X-XSS-Protection "1; mode=block" > >Header set X-Content-Type-Options "nosniff" > >Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"; > >Header set Content-Security-Policy "default-src https: data: > 'unsafe-inline'" > > > I use this on my personal site and have an A rating: > https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F > > Regards, > Dan > > > On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey wrote: > > > If you're not familiar with them > > > > https://tools.ietf.org/html/rfc7231 > > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > > > I'm wondering if anyone has used the CSP to secure javascript and styles > > successfully in Sling and what techniques did they use to get there. > > > > I'm about to raise an issue with our vendor because of lack of support, > > but I like to try to avoid tickets if necessary. > > > > - Jason > > >
Re: Content Security Policy Headers
I set these headers (and HSTS header) with a simple servlet filter. Regards, Eric On Fri, Jan 10, 2020, 9:26 AM Jason E Bailey wrote: > If you're not familiar with them > > https://tools.ietf.org/html/rfc7231 > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > I'm wondering if anyone has used the CSP to secure javascript and styles > successfully in Sling and what techniques did they use to get there. > > I'm about to raise an issue with our vendor because of lack of support, > but I like to try to avoid tickets if necessary. > > - Jason >
Re: Content Security Policy Headers
Jason, Rather than putting the headers in Sling, I'd recommend supplying the CSP in your caching (httpd etc) layer. Something like this: Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"; Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"; Header set Content-Security-Policy "default-src https: data: 'unsafe-inline'" I use this on my personal site and have an A rating: https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F Regards, Dan On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey wrote: > If you're not familiar with them > > https://tools.ietf.org/html/rfc7231 > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > I'm wondering if anyone has used the CSP to secure javascript and styles > successfully in Sling and what techniques did they use to get there. > > I'm about to raise an issue with our vendor because of lack of support, > but I like to try to avoid tickets if necessary. > > - Jason >
Content Security Policy Headers
If you're not familiar with them https://tools.ietf.org/html/rfc7231 https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP I'm wondering if anyone has used the CSP to secure javascript and styles successfully in Sling and what techniques did they use to get there. I'm about to raise an issue with our vendor because of lack of support, but I like to try to avoid tickets if necessary. - Jason
Dynamic Include - proposal to remove all package exports
Hi, While moving the Sling Dynamic Include module to use the new OSGi annotations, I noticed that the annotation caused breaking changes, since almost all packages are exported. That looked suspicious to me, as I think the SDI bundle it intended to be dropped in and configured, not reused programatically. I propopsed dropping all package exports in [1], so that from the next version it will not be possible to access the code at all. If you are using the SDI bundle _and_ import code from it, please join the conversation at [1]. There is also an open PR with the proposed changes at [2]. I'll wait until 20/1 to merge the changes. Thanks! Robert [1]: https://issues.apache.org/jira/browse/SLING-8987