Content Security Policy with google ads

Content Security Policy is a relativity new header being promoted. Browsers such as Firefox 4 will make use of this. Considering the benefits it and X-Frame-Options headers offer. It is almost stupid to not look into this.
These new headers try to do one thing and that is prevent some of the common security issues (Clickjacking, XSS, and data injection).

However, google ads require some setup. You have to allow it on multiple src. From my tests, this includes the allow and script-src twice (two domains).

Mantis has already implanted this in their source code. Due to how limiting what they implanted is, it breaks a lot of integrations. SimpleMachines.org uses mantis as its bug tracking software. CSP also happen to of broken everything from working correctly in FireFox4.

So after some testing with FireFox4 and reading the CSP information. I came up with the following header (which you can view if you have the proper tools installed and visit Mantis on SimpleMachines.org).

		header( "X-Content-Security-Policy: allow 'self' http://pagead2.googlesyndication.com; options inline-script eval-script; img-src 'self' *; script-src 'self' http://*.simplemachines.org http://pagead2.googlesyndication.com http://googleads.g.doubleclick.net; style-src 'self' http://*.simplemachines.org; frame-ancestors 'none'" );

Note that image-src is set to self and *. The wildcard allows us to load in remote images. Although this lowers security, there is no other simple way to do this with remote avatars.  The header gets nasty in length and I personally start to worry about all headers being able to be transmitted in one packet in some setups where the header is even longer.   But this is the price you pay for security.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.