Excellent!
I’m currently in the process of cleaning up my code, fixing all the tests I broke, and adding some tests of my own. You can follow along in this branch: https://github.com/discourse/discourse/compare/master...LeoMcA:csp
There’s a few seemingly nutty things going on, I’ll explain myself once I’m done.
Here’s what will roughly be left to do after I’ve finished this current work (which I hope to do this week):
- Decide upon a default CSP policy
- I’ll consult with our resident CSP expert within Mozilla
- Get nginx to fail safe with a restrictive CSP when no CSP is set by rails
- Write comprehensive documentation for admins wanting to secure their instance as much as possible
- The default I’m working on right now should “just work” for most instances, but there’s always edgecases upon edgecases
@sam, if you want this placed behind a preference to begin with, so we can see what sort of real world performance impact it’ll have (by testing it on Mozilla Discourse), that’s fine by me 