Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Sentinel Journal

## 2024-07-03 - [Missing Content Security Policy in HTML UI]

**Vulnerability:** The HTML application (`studio/index.html`) lacked a Content
Security Policy (CSP), leaving it potentially vulnerable to Cross-Site
Scripting (XSS) attacks. Without a CSP, the browser doesn't restrict the
sources from which resources like scripts, styles, and images can be loaded,
potentially allowing malicious scripts to execute.

**Learning:** Static HTML pages that don't seem to take user input might still
benefit from a CSP to establish defense-in-depth, especially when they might be
deployed as parts of a larger platform or where unexpected data processing
might occur. The application only needs local scripts, CDNJS for font awesome,
and fonts.googleapis.com, making a restrictive CSP easy to define and
implement.

**Prevention:** Implement a Content Security Policy by default for all HTML web
interfaces, specifying exactly which external domains are authorized to serve
scripts, styles, fonts, and images. Always restrict `default-src` to `'self'`
where possible.
19 changes: 19 additions & 0 deletions .markdownlint.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"MD013": false,
"MD033": false,
"MD024": false,
"MD041": false,
"MD022": false,
"MD032": false,
"MD009": false,
"MD031": false,
"MD040": false,
"MD004": false,
"MD012": false,
"MD028": false,
"MD036": false,
"MD025": false,
"MD049": false,
"MD029": false,
"MD060": false
}
1 change: 1 addition & 0 deletions studio/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>RTX⚑ Tech-Debate Viral Poster Studio</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com; img-src 'self' data: blob:;">
<!-- Premium Google Fonts -->
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
Expand Down
Loading