Skip to content

Address domain and email security findings from report.#465

Open
mikewillems wants to merge 8 commits into
stagingfrom
mw/sec/domain-and-email-sec
Open

Address domain and email security findings from report.#465
mikewillems wants to merge 8 commits into
stagingfrom
mw/sec/domain-and-email-sec

Conversation

@mikewillems

@mikewillems mikewillems commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

What is in this PR?

This PR addresses issues identified in 2 analyses / audits of Frankly. Mostly, it hardens browser policies for functions to block against XSS attacks. These may need to be separately deployed with firebase deploy --only hosting.

Changes in the codebase

  • 63c9539 - Cherry-pick of @johnnycrich's CSP + nonce implementation 🙏🙏🙏 . Adds Content-Security-Policy meta tag with __SCRIPT_NONCE__ placeholders to client/web/index.html, plus nonce attributes on all script tags.

  • bbb06f8 - Fix docs typo: sendgridemail -> sendgridmail in docs/pages/hosting.md and docs/pages/dev.md. Confirmed correct via firebase ext:export.

  • 9632147 - Add email authentication DNS setup instructions (SPF, DKIM, DMARC) to docs/pages/hosting.md with cross-reference from docs/pages/dev.md.

  • 63e8906 - Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy as HTTP response headers in firebase.json for all Firebase Hosting responses.

  • 7a6fc64 - Remove X-Frame-Options and X-Content-Type-Options meta tags from client/web/index.html (browsers ignore these as meta tags; now handled by HTTP headers in firebase.json).

Changes outside the codebase

See internal audit review for out-of-codebase config instructions.

Testing this PR

Not public :P

PR Checklist

  • [NA] Where applicable, I have added localization (l10n) entries to my feature for user-facing text.
  • [NA] For new Cloud Functions, I have added the function to function-mapping.json.

Additional information

AI tools used (if applicable):
NA

mikewillems and others added 5 commits June 2, 2026 09:38
@mikewillems
docs: add email authentication DNS setup instructions
9632147 
Document required SPF, DKIM, and DMARC records for preventing
email spoofing. Cross-reference from dev.md to hosting.md.
@johnnycrich @mikewillems
feat(client): WIP HSTS config/examples.
63c9539
@mikewillems
docs: fix sendgridmail collection name typo
bbb06f8 
Code writes to 'sendgridmail' but docs said 'sendgridemail'.
Confirmed via firebase ext:export that the extension watches 'sendgridmail'.
@mikewillems
fix: add security response headers to Firebase Hosting
63e8906 
Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy,
and Permissions-Policy headers to all responses served by
Firebase Hosting via firebase.json.
@mikewillems
fix: remove non-working security meta tags from index.html
7a6fc64 
X-Frame-Options and X-Content-Type-Options as meta tags are
ignored by browsers. Both are now set as HTTP response headers
in firebase.json.
@mikewillems mikewillems marked this pull request as ready for review June 7, 2026 16:39
Copilot AI review requested due to automatic review settings June 7, 2026 16:39
Copilot AI reviewed Jun 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the web client’s browser security posture (CSP + security response headers) and updates deployment documentation for SendGrid (including correct Firestore collection name and SPF/DKIM/DMARC setup guidance).

Changes:

  • Adds security-related HTTP response headers for Firebase Hosting responses (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
  • Introduces a CSP <meta http-equiv="Content-Security-Policy"> and applies nonce="__SCRIPT_NONCE__" to script tags in the web entrypoint.
  • Updates hosting/dev docs for SendGrid collection name and adds email authentication DNS record instructions.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
firebase.json Adds default security headers for Firebase Hosting responses.
client/web/index.html Adds CSP meta policy and script nonces to harden against XSS.
docs/pages/hosting.md Fixes SendGrid collection name and documents SPF/DKIM/DMARC setup.
docs/pages/dev.md Fixes SendGrid collection name and links to hosting guidance for DNS auth records.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread client/web/index.html Outdated
Comment thread client/web/index.html
http-equiv="Content-Security-Policy"
content="default-src 'self';
worker-src 'self' blob:;
script-src 'self' 'wasm-unsafe-eval' 'nonce-__SCRIPT_NONCE__' https://www.gstatic.com https://zencdn.net https://vjs.zencdn.net https://player.vimeo.com http://media.twiliocdn.com https://upload-widget.cloudinary.com https://cdn.jsdelivr.net;
Comment thread client/web/index.html
Comment on lines +128 to +131
<script
nonce="__SCRIPT_NONCE__"
src="//media.twiliocdn.com/sdk/js/video/releases/2.17.1/twilio-video.min.js"
></script>
Comment thread client/web/index.html
Comment on lines +102 to +105
<script
nonce="__SCRIPT_NONCE__"
src="https://www.gstatic.com/firebasejs/8.6.1/firebase-app.js"
></script>
@github-actions

github-actions Bot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown

Visit the preview URL for this PR (updated for commit 736995f):

https://gen-hls-bkc-7627--pr465-mw-sec-domain-and-em-oehek6dk.web.app

(expires Fri, 26 Jun 2026 20:33:05 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: eed668cca81618d491d024574a8f8a6003deaa8d

@katherineqian katherineqian changed the title Mw/sec/domain and email sec Address domain and email security findings from report. Jun 8, 2026
katherineqian
katherineqian requested changes Jun 12, 2026
View reviewed changes

@katherineqian katherineqian left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for addressing these findings!

The main outstanding issue I'm encountering is that the preview build on staging is failing to load the app -- looks like some of the security policies may be too strict and blocking critical functionality. See my console output.

Console output

Comment thread docs/pages/dev.md

- Uses a Firestore extension. Emails definitions are written to the firestore collection sendgridemail.
- Configure the firestore extension "Trigger Email" firebase/firestore-send-email@0.1.9 with your sendgrid info
- Uses a Firestore extension. Email definitions are written to the Firestore collection `sendgridmail`.

@katherineqian katherineqian Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

katherineqian and others added 2 commits June 12, 2026 15:23
@katherineqian
Potential fix for pull request finding
7cfdfed 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@katherineqian
Merge branch 'staging' into mw/sec/domain-and-email-sec
736995f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@katherineqian katherineqian katherineqian requested changes

Copilot code review Copilot Copilot left review comments

@johnnycrich johnnycrich Awaiting requested review from johnnycrich

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mikewillems @katherineqian @johnnycrich