Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bit, warn on configurable list of world-writable domains in csp headers #2571

Closed
underdarknl opened this issue Feb 28, 2024 · 1 comment · Fixed by #2624
Closed

bit, warn on configurable list of world-writable domains in csp headers #2571

underdarknl opened this issue Feb 28, 2024 · 1 comment · Fixed by #2624
Assignees
Labels

Comments

@underdarknl
Copy link
Contributor

Is your feature request related to a problem? Please describe.
We should create a bit that does the following:
for all domains allow-listed in CSP headers:
check if domain is listed in a list of configured dangerous domains.

This list could be a config_ooi listing domains like:

Those domains can host any JS or files from anyone, which immediately negates the whole point of using CSP to allow only secure domains.

Describe alternatives you've considered
Dont use a config, just hard-code the list in the bit.

@underdarknl underdarknl added this to KAT Feb 28, 2024
@github-project-automation github-project-automation bot moved this to Incoming features / Need assessment in KAT Feb 28, 2024
@underdarknl
Copy link
Contributor Author

https://github.com/mayakyler/link-shorteners is a list of url shorteners, which by definition are also world-writable

@noamblitz noamblitz moved this from Incoming features / Need assessment to Review in KAT Mar 11, 2024
@github-project-automation github-project-automation bot moved this from Review to Done in KAT Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants