Prevent CSS based HTTP leaks

[seisvelas]

According to Cure53, our current use of WebViews leaves open the possibility of an HTTP leak, akin to the following:

<em style="background: url('https://leak-here.com/test')">hello</em>

One proposed solution was a content security policy, possibly implemented via a meta tag. The closest a CSP can come to this would be banning user created style attributes entirely. If we're okay with that, then a CSP is the perfect solution.

If we are not okay with that, then our next best bet is CSS sanitization, which is much more involved.

There may be other ways this could be addressed, let me know your thoughts or if you have alternative measures you'd like to discuss.

[tomholub]

Hmm, I think we want to permit inline CSS for rich html. But I don't want to permit this CSS to then be able to fetch any remote content. From your research, there isn't any CSP that we could use to achieve that?

[seisvelas]

Actually, this might be doable. Consider the following CSP:

<meta http-equiv="Content-Security-Policy" content="img-src 'self'; manifest-src 'self'; media-src 'self'; media-src 'self'; object-src 'self'">

It stops the example Cure53 gave while still permitting inline styles. I tested it locally, but feel free to play around with it yourself. I'm curious to see what Cure53 says about it, as there may well be an obvious workaround I'm missing.

[tomholub]

@DenBond7 is the and type of tags added in Kotlin or in Node?

[DenBond7]

I don't modify http on my side. Just use as is. So I think it's on the Node side.

…

On Fri, Jun 12, 2020, 20:12 Tom J ***@***.***> wrote: @DenBond7 <https://github.com/DenBond7> is the and type of tags added in Kotlin or in Node? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#895 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAV3BDUUSD5ZSVZBPRD24BDRWJOWNANCNFSM4N25C77Q> .