It would be helpful if either RW itself or RW Plugins/Stacks would support hashing inline styles and javascripts when html files are generated/published. Or to throw out an style-src CSP snippet with all hashed inline CSS for copy & pasting e.g. something like this:
Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. It would be a huge benefit if RW and/or plugins would support this.
From the user’s point of view: There is no way to use CSP hashed scripts or styles within RW. Even if I try to hash everything by my self outside RW (e.g. in Coda or other HTML editors) after each “Publish” there are whitespaces which break current hashes and I am forced to do everything again. This is quite nice.
You’re correct. There’s currently no way to accomplish hashing inline scripts for security policy compliance in RapidWeaver. Theme and stack developers will need to learn CSP, and add feature support.
I’m not disputing the value. However, immediacy of support is unlikely. Some learning needs to happen. While CSP Headers have existed for a while, they are just now starting to gain momentum as a security practice. For example, Blue Cross Blue Shield (BCBS) scores a D, and they’re subject to HIPPA guidelines for protecting data. SquareSpace, a popular SaaS web-builder-and-host scores an F. Mozilla scores a B+ with ‘unsafe-inline’.
To reiterate, I’m not suggesting the BCBS is an argument for no supporting CSP Headers, only that they reflect the current state of CSP on the web. You’re ahead of the curve, and that’s great! However, being a leader sometimes leaves you in a position where you need to wait for dependencies, and help others to catch-up. Personally, I love what you’re doing.
This forum is a great place to raise awareness of practices that improve the security positions of users. To advance the cause, I suggest submitting feature request to developers through their advertised support channels. Be prepared to share your experience, and offer some education. To some, you’ll be introducing new subject matter.
I hope this helps. I’m a supporter of what you’re working to achieve.
you’re absolutly right on the state of CSP and the web. Just check the Mozilla Observatory Numbers. 95% of checked websites are vulnerable for simple cross-sites attacks. Dare to ask what’s about SQL injections and data leaks The reason why I am so keen with RW is the fact that it’s not an overblown Web Content Management System like Wordpress, Yoomla etc. It just generates plain html and css (and sometimes php) files. It’s a security bonus RW clearly owns. Therefore I engourage RS and addon creators the awareness and support for latest security tecnologies like CSP but also clean uncluttered code with less dependencies on linked 3rd parties cloud ressources. If RW and Foundation would decide to support CSP tomorrow, heck no doubt, I would pay 100 bucks again.
Since this is not just a Foundation issue and everyone wants safer sites, it might be a good idea to change the title. As this is obviously not JUST a Foundation problem.
done, but: Please try start supporting CSP. Stop using inline CSS styles, pre-hash static libs or non-changing modules, you (as member of team Joe Workman) could show more engagement in Website Security. I would welcome this (and pay for it!).
I don’t do any actual creating for Joe, just support. I do know Joe has looked into this and has discussed it (in fact, it was discussed in last week’s hangout). So it is something on his radar, when he will make it part of his products, is unknown to me.
As I said early on in this thread, I will look into this for the next version of Foundation. Do not expect any updates around this for the existing version though.
