Add constent security policy headers to free.law

[mlissner]

This isn't terribly hard, except that it means revisiting all our pages to make sure we don't use any <script> tags or inline JavaScript.

See more details here: https://infosec.mozilla.org/guidelines/web_security#content-security-policy

When the time comes to add them, we just need to tweak our existing Lambda@Edge distribution (in N.Virginia, which already adds a few other security headers for us).

[mlissner]

A researcher recently suggested that we add X-XSS-Protection headers, but MDN says we should add CSP headers instead and that X-XSS-Protection is outdated.

[mlissner]

I went ahead an added the X-XSS-Protection header. It's no harm, and it can only help. But I don't think it really matters, since we don't usually embed user-generated content on the site. The process to do it was to update the lambda function and to then deploy it to lambda@edge. Note that that is different than just deploying it.

[mlissner]

I took another brief pass at this today and came up with:

        Content-Security-Policy = "default-src 'self'; connect-src 'self' https://matomo.courtlistener.com; script-src 'self' https://matomo.courtlistener.com; img-src 'self' https://matomo.courtlistener.com; style-src 'self' https://matomo.courtlistener.com; frame-src: 'self', *.youtube.com, *.courtlistener.com, *.legaltalknetwork.com; object-src 'none'"

But it didn't work. In Firefox, I got messages like:

The page’s settings blocked the loading of a resource at inline xyz

Which means nextjs uses inline stuff. There are guides about this, but I think they're going to amount to allowing inline JS. Since we're SSG anyway, I'm not sure much of this much matters, but if somebody wants to take another stab at this, netlify's deploy mode works nicely.