Feature request: Content Security Policy #8160
Description
What would you like to see in luci?
The router is one of the most security-sensitive devices I have on my network. If that get's hijacked, all else will fall.
Therefore it is incredibly important to do defense in depth, and one incredibly powerful security measure is yet not implemented by OpenWRT & Luci: Content Security Policy.
Without a Content Security Policy, a browser will allow any script from any source to do anything it want inside the active browser window. This means the smallest kind of JS-error may result in complete takeover of the browser-session.
A Content Security Policy header serves to tell the browser "only these things are allowed, and only from these sources", effectively preventing 99% of browser-based attacks. And it's really easy to implement.
Doing some simple experimentation in the browser, I've added this HTML meta-tag after the fact, and it seems to work on the pages I've tested:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'trusted-types-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline';">This CSP effectively limits the Luci web-app to only allow:
- scripts from its own origin/IP, and nowhere else.
- css from its own origin/IP, and nowhere else.
- images from its own origin/IP, and nowhere else.
- fetch/etc from own origin/IP, and nowhere else.
- (etc)
Softening exceptions:
- Allow javascript to use inline scripts, eval() and trusted types.
- Allow CSS to use inline styles.
- Allow IMG-tags with data:-type URLs.
I think this represents a serious security hardening, especially given how little effort it takes to implement.
This is obviously best inserted as a HTTP response header, rather than a HTML meta-tag, but this was what I was able to experiment with, without the need for fully building Luci from source :)
Could this perhaps make it for 25.12 ? 😁