Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about CDN affect on CSP header -- seeking clarification #1534

Open
kwwall opened this issue Nov 7, 2024 · 2 comments
Open

Question about CDN affect on CSP header -- seeking clarification #1534

kwwall opened this issue Nov 7, 2024 · 2 comments

Comments

@kwwall
Copy link
Collaborator

kwwall commented Nov 7, 2024

This is a question that I'm asking for clarification. Depending on the answer, I may turn it into an Update request.

In https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#3-content-security-policy-meta-tag, it states:

Sometimes you cannot use the Content-Security-Policy header if you are, e.g., Deploying your HTML files in a CDN where the headers are out of your control.

In this case, you can still use CSP by specifying a http-equiv meta tag in the HTML markup ...

How exactly do CDNs affect CSP response headers? Because this is a security-specific header, I would be extremely surprised it any CDN would deliberately alter CSP headers by default. I think doing so could potentially make the companies liable for allowing XSS vulnerabilities that otherwise would have been blocked. Hence, it seems doubtful to that that they would do this by default. They almost certainly change some other response headers, such as Cache-Control, Pragma, Expires, etc.,
but Content-Security-Policy? That sounds like an urban myth to me. And while CSP may add CSP headers, I think CDNs would avoid even that (unless it's only for reporting), as otherwise they could break something. But changing or deleting the header as the CDN's default behavior? That seems far-fetched to me and I'm not buying it without some evidence.

My only comparison point is for AWS CloudFront, where someone pointed me to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-responseheaderspolicy-contentsecuritypolicy.html. If you look at it, you will see a required JSON key named "Override" that is a boolean value, for which the documentation states is:

A Boolean that determines whether CloudFront overrides the Content-Security-Policy HTTP response header received from the origin with the one specified in this response headers policy.

Thus, for AWS CloudFront at least, it seems as though the default is "hands-off" unless its explicitly told to override the value. Granted, that's only a single data point, but that seems like it would be the intuitive behavior to me.

So, can someone perhaps provide some clarification to this? If there are CDNs that muck with CSP headers by default, so anyone have any evidence? That's all I'm looking for is a bit of clarification.

@kwwall
Copy link
Collaborator Author

kwwall commented Nov 7, 2024

P.S.- I'd move this to a GitHub Discussions page, but this repo doesn't have one.

@jmanico
Copy link
Member

jmanico commented Nov 7, 2024

Your skepticism is fair: CDNs don’t alter CSP headers by default. The use of a tag for CSP is generally recommended in environments where header control is limited, not because CDNs are altering or stripping CSP headers. If there are specific cases where CDNs modify CSP headers by default, they would be outliers, and evidence of such behavior would likely be documented due to the potential security implications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants