Description
- CSP Improvements (for WebSite)
https://www.phpmyadmin.net/ return the following CSP header:
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/; img-src 'self' https://www.google-analytics.com/ https://www.paypalobjects.com/; style-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'
2.1) Change Google Analytics loading
The usage of current Google Analytics code require unsafe-inline in script-src
fix: (by applying any of the below, the unsafe-inline can be removed from script-src)
move the inline code into external file
https://stackoverflow.com/questions/30939809/google-analytics-js-and-content-security-policy
or generate a hash for inline script:
https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage
2.2) Dynamic CSP usage
The https://www.paypalobjects.com/ in img-src is needed only in some pages, such as:
https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/donate.html#L31
https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/sponsors.html#L126
2.3) More Strict CSP Policy
The usage of action attribute is used in the below pages (to https://www.paypal.com/)
website/pmaweb/templates/donate.html
Line 22 in 92720e9
website/pmaweb/templates/sponsors.html
Line 113 in 0da92e1
thus use form-action directive to white-list action locations
https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives#form-action
- Missing CSP Policy
visiting:
https://www.phpmyadmin.net/fff/
result:
no CSP Policy sent, also the page load javascript from https://linkhelp.clients.google.com/ (need to add to script-src directive)
https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/404.html#L23