Add base-uri Directive to Content Security Policy

[robhudson]

Description

This issue proposes adding the base-uri directive to our Content Security Policy (CSP) to enhance security by controlling the base URL used for resolving relative URLs in our web application. The base-uri directive restricts where <base> elements can point, helping mitigate certain types of injection attacks and preventing the unintended manipulation of relative URL resolution.

Why Add base-uri?

1. Mitigates Injection Attacks:

   • Attackers may attempt to inject a malicious <base> element into the HTML document, redirecting relative URLs (e.g., links, resources) to an unauthorized or malicious domain.

2. Improves Application Integrity:

   • Ensures that all relative URLs resolve to trusted origins, maintaining control over URL resolution behavior.
   • Protects user experience and data by preventing exploitation of relative links.

3. Aligns with Security Best Practices:

   • Adding base-uri to CSP strengthens the policy against attacks targeting URL resolution, complementing other directives like script-src and form-action.

[janbrasna]

There don't seem to be any <base> elements set visibly from a quick search, and I also don't recall any env settings to inject it for some deployments (e.g. don't see it being used even in test.bedrock.nonprod.webservices.*) so the goal is perhaps to set it to 'none', right?

The public facing site should be fine, question is whether Wagtail doesn't need that for anything, but the only base use I can spot is in targets for opening new windows, so a RO test-drive should surface any violations, but hopefully there would be none. 🤞