I'd like to finish deploying content security policy headers across Gosora.
The front-end has fairly good coverage, minus one spot I'd like to address, but the control panel is completely lacking in CSP coverage and I'd like to address this.
The content security policy has been largely rolled across the software now, although there are a few endpoints which have been explicitly whitelisted so that it isn't pushed on those pages, but those shouldn't be a security risk. I would still like to break their reliance on inline scripts which precludes the deployment there however.
I would also like to adapt the CSPs pushed in the software, so that we don't white-list domains like YouTube on pages where it's impossible for their content to appear. This should give another margin of security, especially with my upcoming privacy setting plans.
I would also like to look into how I can harden the CSP parameters further to make it harder for adversaries to mount attacks without breaking any existing functionality and to look into things like perhaps feature policy headers or hashes to see what other options I have for security hardening going forward.