add CSP info for Discourse 2.2
diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 27d4fef..190282f 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -27,6 +27,8 @@ There are 2 main scenarios we protect against: 2. **Markdown displayed on the page invokes an XSS.** To protect against client side preview XSS, Discourse uses [Google Caja](https://developers.google.com/caja/) in the preview window. +3. [**CSP is on by default** for all Discourse installations](https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243) as of Discourse 2.2. It can be switched off in the site settings, but it is default on. + On the server side we run a whitelist based sanitizer, implemented using the [Sanitize gem](https://github.com/rgrove/sanitize). See the [relevant Discourse code](https://github.com/discourse/discourse/blob/master/lib/pretty_text.rb). In addition, titles and all other places where non-admins can enter code are protected either using the Handlebars library or standard Rails XSS protection.