feat(web): tighten CSP and add cross-origin isolation headers#42
Merged
Conversation
The nightly ZAP baseline surfaced a second tier of findings once the initial security headers were in place. Address the real ones and triage the rest: - Scope CSP connect-src to the exact WebTransport origin (the request host on wt_port) instead of the 'https:' scheme wildcard, building the header per-request. Fixes ZAP 10055 'Wildcard Directive'. - Add the cross-origin isolation headers (COEP require-corp, COOP same-origin, CORP same-origin); the console embeds no third-party content. Fixes ZAP 90004. - Triage the remaining passive findings as IGNORE in .zap/rules.tsv: timestamp and private-IP disclosure (false positives / our own placeholder in the minified bundle), Modern Web Application (informational), and style-src 'unsafe-inline' (required by the Emotion/MUI toolkit). Verified by running the ZAP baseline locally against the stub stack: 0 WARN-NEW.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 The nightly ZAP baseline surfaced a second tier of findings once the initial security headers (#39) were in place — ZAP runs deeper passive checks once a CSP exists. This resolves the real ones and triages the rest. Verified by running the ZAP baseline locally against the stub stack: 0 WARN-NEW.
Fixed in code
connect-srcno longer uses thehttps:scheme wildcard. It now names the exact WebTransport origin (the request host onwt_port, reconstructed the same wayauth::handle_connectbuildswt_url), so the header is built per-request.Cross-Origin-Embedder-Policy: require-corp,Cross-Origin-Opener-Policy: same-origin, andCross-Origin-Resource-Policy: same-origin. The console embeds no third-party content, so full site isolation is safe.Triaged as IGNORE in
.zap/rules.tsvstyle=attributes. Can't be dropped without server-side nonce templating of the embedded SPA. The rest of the CSP stays tight in code and is guarded by a unit test.10.0.0.1is an example placeholder in a host-entry form field (Services.tsx).Notes
COEP: require-corpchanges resource-loading semantics in the browser; the Playwright e2e suite exercises the real app and will catch any regression. Spec itemtransport.http.security-headersupdated accordingly, with the unit test extended to assert the preciseconnect-srcorigin and the isolation headers.