Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using CSP (Content Security Policy) with a custom protocol

I'm in a bit of a pinch, developing a fund broker site.

As part of our security policies, CSP is implemented across our servers, but now, we're implementing communication with desktop software supplied by Scandinavian banks (BankID).

With this, a problem arises: to open the BankID desktop software, a link should be clicked with a custom protocol, looking like this:

bankid://?orderref=[GUID]&autostarttoken=[GUID]

As I'm sure you understand, I'm having serious problems allowing this link through our CSP policies. My searches have yielded no results, and I have run out of ideas.

I have tried attempting to allow a wildcard domain under the protocol thus:

Content-Security-Policy: default-src 'self' bankid://*;

It works perfectly if I turn off CSP, so it's definitely the issue.

Anyone have any experience with this? Any help is greatly appreciated.


EDIT

After a few more hours searching, I found the following on the Mozilla Wiki:

We need an application delivery mechanism that provides assurances on app integrity and authenticity, and also allows for well-defined application & privilege scope enforcement so integrity can be maintained at runtime.

And further:

Privileged and certified apps will be accessed via a unique scheme (app://). The domain will correspond to the app id.

I'm not sure if this would be applicable, but if I read this right, it means that Mozilla are considering how to tackle this very issue.

like image 561
Helge Talvik Söderström Avatar asked Aug 18 '15 02:08

Helge Talvik Söderström


People also ask

How do I set the Content-Security-Policy header in HTML?

To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.


1 Answers

It seems that you were very close to the solution, you only have to alter the syntax a little bit. By removing the slashes it should work just fine.

Content-Security-Policy: default-src 'self' bankid:;

To summarize:

  • Quotes ("'): NO
  • Slashes (//): NO
  • Colon (:): YES
like image 174
Justus Romijn Avatar answered Nov 09 '22 01:11

Justus Romijn