`\r\nshould be updated to:\r\n``\r\n\r\n"}Remix security improvements - Ethereum Foundation
Web3 DAO | Ethereum Foundation Logo

Remix security improvements

Organization

Ethereum Foundation

Deadline

N/A

Status

LIVE

INSTRUCTIONS

Some HTTP headers required for security are not set and a 3rd party JS code is included without a checksum on https://remix.ethereum.org/

Details

  1. Please consider limiting the possibility of clickjacking, embedding Remix in a frame and other potentially bad things described in https://owasp.org/www-project-secure-headers/ by adding following headers to responses at https://remix.ethereum.org/:
X-Frame-Options:  SAMEORIGIN
Content-Security-Policy: frame-ancestors 'none'
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: origin-when-cross-origin
X-XSS-Protection: 0

Also the CORS header is now set to a wildcard, so there is a possible CORS misconfiguration: Access-Control-Allow-Origin: * It should be evaluated if this could be updated to allowing Remix subdomain only.

The proposed Content-Security-Policy header is also a minimal required version, it may benefit from more precise tuning based on specifics of Remix.

  1. A script tag with content from 3rd party domain is not using an integrity attribute: <script src="https://kit.fontawesome.com/41dd021e94.js" crossorigin="anonymous"></script> should be updated to: <script src="https://kit.fontawesome.com/41dd021e94.js" integrity="sha384-o52g9S/nRjb7E0gDheriK0UVPLDYRi7q+ac3yMjKtSsIFVvVke7woNMO8uSfIHn9" crossorigin="anonymous"></script>