paulanthonywilson

paulanthonywilson

Phoenix Blog Post: Content Security Policy configuration (in Phoenix with LiveView)

I had a bit of a mini-adventure following Sobelow’s advice on adding a CSP to a Phoenix App. If you want to follow along, or want to add a CSP to your own Phoenix App, then I wrote all about it here.


Posted via Devtalk (see this thread for details).

Most Liked

paulanthonywilson

paulanthonywilson

Oh, thanks. I do find security things both fascinating and scary; sometimes I teeter on the edge of despairing that it’s all too complicated and one slip will make all the efforts pointless.

On first read I get

  • Don’t use Angular (kind of ironic from a Google paper)
  • Definitely steer clear of JSONP.
  • 'unsafe-inline' is bad. (Also unsafe-eval). The “unsafe” part is a bit of a hint.
  • Unsafe domains are a thing to consider, if I wanted to use 3rd party analytics or something. :thinking:
egranty

egranty

Nice manual! It fills the niche of “how to publish a CSP header in Phoenix”, while for other platforms Node.js, Wordpress, etc there is a lot articles.

It is only more correct to link to the official source Content Security Policy (CSP) - HTTP | MDN, since content-security-policy.com is an outdated site with incorrect information. For instance the wrong script-src 'nonce-r@nd0m' is shown right on the main page - the @ character is not allowed in the ‘nonce-value’.

The 2016 paper out of Google refered below is not actual.
In 2016 IE had 30% of the market but did not support CSP. Other browsers, except for Chrome, were supported CSP very poorly too.
Many third party javascript libraries required 'unsafe-inline' and some also required 'unsafe-eval'.
Popular site engines (CMS) also required rework in their scripts and styles.

Now things changed and Content Security Policy has become a de facto “must have” standard - every browser extension or web app must have it.

Security requirements have increased, Chrome extensions do not allow 'unsafe-inline' at all, Firefox extensions with a policy that use 'unsafe-eval' / 'unsafe-inline' keywords, allowing loading of external scripts and resources, as well as blob: files, are not allowed for extensions listed on addons.mozilla.org due to major security issues.

The situation is somewhat complicated by Safari browser, which is stuck at the CSP2 level.
Nonetheless all serious sites that work with personal data (Twitter, Facebook, Google, …) or money transfers (Paypal, etc.). have a CSP.

In addition to XSS attacks, CSP protects against ads substitution and injecting third-party ads, and prevents users from being tracked on the Internet.
So your article is very relevant for ordinary webmasters as well.

PS: To the principle “When it comes to CSP, just about any policy is better than none” from Sobelow’s documentation, I can add: “safety is never enough”.

corvus

corvus

“When it comes to CSP, just about any policy is better than none” - Sobelow’s documentation

There’s a 2016 paper out of Google that found most sites CSP policies don’t work, https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf

worth reading if you’re interested in the subject

Where Next?

Popular in Blog Posts Top

SmartLogic
Season four of the Elixir Wizards podcast launches today! This season we’re focused on system and application architecture. We’ll be doin...
New
biportal
Hi, I recently thought about a name for this Stack: Rust + Elixir + Phoenix. I came up with Runix (RuNix) and blogged about it on Medium....
New
jordiee
https://medium.com/@jpiepkow/distributed-state-is-hard-5a0d384c2f3c
New
brainlid
Building a LiveView powered chat app is easier than ever when using Streams! Sophie DeBenedetto shows us how in this article. She createa...
New
AstonJ
Elixir Blog Posts How to use this section You can post links to your blog posts either in one of the Official Blog Posts threads, or, vi...
New
AstonJ
I think <span class="hashtag-icon-placeholder"></span>liveview is going to be a big topic in the foreseeable future, so wondering whether...
New
rms.mrcs
https://medium.com/the-realreal-product-tech-blog/monitoring-hackney-connection-pools-with-telemetry-3aaeafa8eeb8 Hi, everyone! In this ...
New
gaggle
This post explores different ways to do test automation in Elixir, focusing on how to handle dependency injection — covering patterns, li...
New
wmnnd
Hey there, I’ve started a little blog series about building and deploying Elixir applications. Now I would like to share with you the fi...
New
bram209
Hello everyone, I just published my first blog post ever. I am learning Elixir, OTP &amp; Phoenix and wanted to start a blog for a while...
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement