[Tails-dev] More tails.boum.org HTTP response headers?

Delete this message

Reply to this message
Author: Alster
Date:  
To: tails-dev
CC: root
Subject: [Tails-dev] More tails.boum.org HTTP response headers?
Hi again,

I propose to add the following HTTP headers to all Tails web pages (it's
sufficient to send these for HTTP responses for "Content-Type:
text/html" only, though applying it globally doesn't hurt):

X-Frame-Options:
SAMEORIGIN

X-XSS-Protection:
1; mode=block

X-Content-Type-Options:
nosniff

Content-Security-Policy:
default-src 'self' tails.boum.org *.tails.boum.org;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src *;
media-src *;
object-src 'self';
frame-src 'self';
frame-ancestors 'self';
child-src 'self';
reflected-xss block;

(Newlines were added to improve readability only.)



Reasoning and links to documentation:

X-Frame-Options:
Prevents content hosted on tails.boum.org to be embedded in an
(I)FRAME on other web sites (such as as part of a click-jacking or
phishing attack. Interpreted by Firefox, Chrome, Internet Explorer,
Opera, Safari.
http://tools.ietf.org/html/rfc7034

X-XSS-Protection:
Instructs Internet Explorer 8+ to use its internal XSS filter (which
is mostly broken but makes use for this part) to block reflective XSS.

http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

X-Content-Type-Options:
Instructs Internet Explorer 8+ to not use content sniffing, a method
similar to running GNU file (with MIME magic) on any downloaded content
as a means of determining its content (and how it should be handled /
parsed), overriding the Content-Type header sent by the webserver. I.e.
a very silly idea in the first place, that's been in use by IE for years.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

Content-Security-Policy:
A measure to prevent XSS and other attacks. This one can be
problematic if you tend to rely on remotely hosted content other than
images and HTML5 audio/video. There are means to have browsers notify
you when they run into situations where their interpretation of your
sites' CSP restricts them from loading page content, though. And luckily
the web pages on tails.boum.org do not seem to depend on much or any
remotely hosted content, so you should be in one of the best imaginable
positions to apply a CSP. Interpreted by Firefox, Chrome, Opera, Safari.
http://www.w3.org/TR/CSP/
http://www.w3.org/TR/2014/WD-CSP11-20140211/
https://www.owasp.org/index.php/Content_Security_Policy
https://github.com/oxdef/csp-tester
http://developer.chrome.com/extensions/contentSecurityPolicy



I'd be happy to discuss these in more detail with anyone interested in
applying them. Especially the CSP header may require a closer look. I
think it's worth the effort for this website, though.

These headers should be reviewed about a year from now since hopefully
more of them will be standardized and implemented by then. Namely
X-Frame-Options and X-XSS-Protection should have been included into CSP
at this time, and CSP 1.1 should be finalized (deprecating some elements
of 1.0 I'm suggesting to use above).


(On a side note, I'm now subscribed to tails-dev and should get to see
any further discussion on this topic).

Alster