Content security policy

bin/serve.es

@@ -6,7 +6,8 @@ const
     = require ('../middleware')
 
 middleware = [
-  route (`/hello/`, Resource `/resource/fixtures/`)
+  route (`/report/`, Resource `/report/`)
+, route (`/hello/`, Resource `/resource/fixtures/`)
 , route (`/examples/`, Resource `/examples/`)
 ]
 

index.css

@@ -1,3 +1,8 @@
+/*
+  // enough inline styles to paint to fold
+  // Japanese colors - https://en.wikipedia.org/wiki/Traditional_colors_of_Japan#Red.2FViolet_series
+*/
+
 :root {
   --margin: 0 0;
 }
@@ -271,4 +276,3 @@ body > main, body > aside { flex: 1 }
 }
 
 @media (min-width:1300px) { }
-

index.html

@@ -16,6 +16,7 @@
   href=/index.css
   rel='preload stylesheet'
 >
+
 <!--
 <link
   as=fetch
@@ -31,12 +32,6 @@
   href=/examples/header-group>
 -->
 
-
-<style>
-// enough inline styles to paint to fold
-// Japanese colors - https://en.wikipedia.org/wiki/Traditional_colors_of_Japan#Red.2FViolet_series
-</style>
-
 <!-- https://www.speedshop.co/2015/10/21/hacking-head-tags-for-speed-and-profit.html -->
 
 <!-- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/base -->
@@ -937,5 +932,5 @@ <h3>Further Learning</h3>
   <em>Copyright &copy; 2018 A <strong>devPunks</strong> project</em>
 </footer>
 
-<script src=/browser-sync.es></script>
+<script src=/browser-sync.js></script>
 

middleware/README.md

@@ -1,17 +1,50 @@
 # middleware
 
 
+## snuggsi.cors
+
+Cross Origin Resource Sharing
+
+
 ## snuggsi.auth
 
 Middleware used for Authentication.
 
 
 ## snuggsi.security
 
+Browser security for frames and XSS attacks
+
+
+## snuggsi.policy
+
 Middleware used for CSP (Content Security Policy).
 
+  - W3C Web App Security - https://github.com/w3c/webappsec
+  - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
+  - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
+  - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
+  - Wikipedia Documentation - https://en.wikipedia.org/wiki/Content_Security_Policy
+  - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+
+
+### Services
+
+  - Report-Uri - https://report-uri.com
+  - Reporting for security headers https://securityheaders.io
+  - Collection of CSP Bypasses - http://sebastian-lekies.de/csp/bypasses.php
+
+
+### Links
+
+  - Helmet - https://helmetjs.github.io
+  - GOOGLE CSP - https://csp.withgoogle.com/docs/strict-csp.html
+  - Mozilla Security Guidelines - https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
+  - Node Security Platform - https://nodesecurity.io/resources
+  - Github's CSP Journey - https://githubengineering.com/githubs-csp-journey
+  - Github's post-CSP Journey - https://githubengineering.com/githubs-post-csp-journey
 
 ## snuggsi.route
 

middleware/index.es

@@ -6,6 +6,7 @@ module.exports = {
   auth       : require ('./auth')
 , cors       : require ('./cors')
 , security   : require ('./security')
+, policy     : require ('./policy.es') // because .json ❓❓❓
 , browse     : require ('./browse')
 , snuggsi    : require ('./snuggsi')
 , route      : require ('./route')

middleware/index.test

@@ -3,5 +3,9 @@ require ('./cors.test')
 require ('./security.test')
 require ('./snuggsi.test')
 require ('./route.test')
+require ('./policy.test')
+// require ('./compressor.test')
+// require ('./negotiator.test')
+//require ('./librarian.test')
 require ('./assets.test')
 

middleware/policy.es

@@ -0,0 +1,107 @@
+// Can actually charge for this feature // https://report-uri.com/#prices
+
+const
+//schemes   = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
+  header    = 'Content-Security-Policy'
+, SECURE    = true
+// Depending on analytics framework,
+// may want to listen for securitypolicyviolation events
+// with JavaScript and collect more information about the client before reporting.
+, report    = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
+
+, defaults  = ["'self'"] // default-src
+, img       = defaults   // img-src
+, style     = defaults   // style-src
+  // nonce-${nonce} ** MUST BE UNIQUE **
+  //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
+  // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
+  // **THAT BEING SAID...For Safari 😢
+  // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
+, script    = defaults   // script-src Script Nonce for inline <script>
+
+, font      = defaults   // font-src
+, media     = defaults   // media-src
+, connect   = defaults   // connect-src
+, child     = defaults   // child-src
+, frame     = child      // frame-src
+, worker    = script     // worker-src // script-src fallback
+, object    = ["'none'"] // object-src
+, plugin    = ['audio/*', 'video/*'] // plugin-types when object != 'none'
+
+, form      = defaults   // form-action
+, ancestors = defaults   // frame-ancestors
+
+, manifest  = defaults   // manifest-src
+, base      = defaults   // base-uri
+, sandbox   = defaults ||// sandbox
+  [/*
+    allow-forms
+  , allow-popups
+  , allow-modals
+  , allow-scripts
+  , allow-same-origin
+  , allow-presentation
+  , allow-pointer-lock
+  , allow-top-navigation
+  , allow-orientation-lock
+  , allow-popups-to-escape-sandbox
+  */]
+
+, directives = [
+  // Reporting
+    `report-to ${ report.join ` ` }`
+
+  // Fetch
+  , `default-src ${ defaults.join ` ` }`
+  , `img-src ${ img.join ` ` }`
+  , `style-src ${ style.join ` ` }`
+  , `script-src ${ script.join ` ` }`
+
+  , `font-src ${ font.join ` ` }`
+  , `media-src ${ media.join ` ` }`
+  , `connect-src ${ connect.join ` ` }`
+  , `child-src ${ child.join ` ` }`
+  , `frame-src ${ frame.join ` ` }`
+  , `worker-src ${ worker.join ` ` }`
+  , `object-src ${ object.join ` ` }`
+  , !!! object.includes (`'none'`)
+      ? `plugin-types ${ plugin.join ` ` }`
+      : ''
+
+//  Navigation
+  , `form-action ${ form.join ` ` }`
+  , `frame-ancestors ${ ancestors.join ` ` }`
+
+// Document
+  , `base-uri ${ base.join ` ` }`
+  , `manifest-src ${ manifest.join ` ` }`
+  //  `sandbox  ...` is not supported in the <meta> element
+  //  or by the Content-Security-policy-Report-Only header field.
+  //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+  , `sandbox ${ sandbox.join ` ` }`
+
+  // Other
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
+  , SECURE
+      ? `block-all-mixed-content`
+      : `update-insecure-requests`
+  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
+//, `require-sri-for ${ integrities.join ` ` }`
+  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+//, `referrer`
+  ]
+
+
+module.exports = async (context, next, policy) => {
+
+  policy = directives.filter (Boolean).join `; `
+
+  context.set ( header, policy)
+
+  'report'
+    in context.request.query
+    && context.set ( `${header}-Report-Only`, policy)
+
+  await next (context)
+}

middleware/policy.json

@@ -0,0 +1,22 @@
+{
+  "secure" : true
+
+, "report-uri"
+    : "https://snuggsi.report-uri.com/r/d/csp/enforce"
+
+, "default-src" : [
+    "'self'"
+  ]
+
+, "img-src" : [
+    "'self'"
+  ]
+
+, "style-src" : [
+    "'self'"
+  ]
+
+, "script-src" : [
+    "'self'"
+  ]
+}