Content-Security-Policy #305
Comments
lunny
added
type/enhancement
|
Yes, that should be a class, not inline style :) |
|
As a note: |
|
I'm currently implementing a Content-Security-Policy but we need style-src: unsafe-inline & script-src: unsafe-eval for semantic ui & jquery datetimepicker. |
|
We should get rid of all inline crap. |
|
@tboerger I'm almost done with that (except for labels) but for tooltips semantic ui needs unsafe-inline 😕 |
|
Even tooltips can be perfectly done with data attributes and unobtrusive js. |
|
any news? |
|
Personally, I would appreciate at least adding a content-security-policy header to Gitea, slowly making it more strict as changes are made. At least things like I'd be willing to work on this within the next few days if someone more-acquainted with the codebase isn't up to it! |
|
I'm adding this CSP with nginx: Everything seems to work with this. |
|
@totpet interesting, I tried that too and it seems to work so far, but afais mozilla observatory reports this as -20 score, so it seems to be too lax. |
|
As I said, things like |
|
My policy broke the embedded pdf viewer, because it is loaded as an iframe, and ( |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
techknowlogick
added
the
issue/confirmed
|
Any news on this? Keep in mind the "Gitea behind a reverse proxy" case where Gitea won't be able to change CSP header dynamically. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
New user here. I’d also love to see this sorted out. Beside inlines, I think there are also some evals, because I had to add |
|
@MetroWind to which header? |
|
I used the Mozilla Laboratory to generate the following CSP: Everything seems to work with |
|
This should probably be more like: |
This comment was marked as off-topic.
This comment was marked as off-topic.
@tomposmiko most free softwares don't have dedicated developers who are able to make a living by working on them. Meaning, that you can not rely that a feature or a bugfix will be implemented on one point. It is also important that you understand, that this is not specific to gitea, however. On the plus side, you can usually implement those things by yourself or pay someone to do it. Now it should be clear, that it would need clairvoyant abilities to answer your question properly. Because this is not a commercial product that can afford ensuring due dates for features or bugfixes reliably. |
Not that it is different if your paying for software 😆 |
|
Could we at least make gitea serve its own CSP? IMO it's the responsibility of the app to know what it needs to load and from where. Even if we're not going to implement a safe CSP in the first iteration, I'd suggest starting by providing one and then refining it when we clean the inlines and evals. An even easier first step might be to provide a CSP in the documentation that admins can set on their proxies and after some time implementing it in the code. |
|
Just as a current (2022, gitea 1.16.1) reference point, I have the following policy implemented and haven't had any (
Edit: Amended with below comment (which I can confirm): Admins who would like to tighten that policy up (esp. |
Generally following the above, I ran into Chrome refusing to load a |
|
We should put out a CSP recommendation in the docs as a guidline on how to set up the most strict CSP possible for gitea to work, but I don't see anything else to be done here. |
|
I'm not 100% sure of the details, but surely simply hashing the critical JS would be a solution here? CSP supports this, and it means you'd be able to say that these scripts could be run without anything else being allowed. The hash might change between releases, but I don't imagine that being difficult for folks to deal with if they really care that much over using IMHO the most important aspect of this would be to have similar docs recommending a CSP header for gitea, or having gitea output one itself, even if it does include |
|
Guess we can keep open for docs.
What technique is that? Any more info? |
|
MDN has you covered: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src Essentially, you can add |
|
Hmm I guess we could set a static |
|
If Gitea emitted the CSP-header itself, it could dynamically calculate the hashes of the inline scripts it sends, couldn't it? I wouldn't be surprised if browsers or the standardization committees implement additional measures (in the future if they haven't already) to prevent usage of nonces that are used more than once. |
|
If you're running other resource paths on your frontend and need CSP policies to accommodate their needs, having Gitea generate a full header could be problematic. I found this issue discussing the spec outlining that multiple headers are not to be sent by a server though, but if they are they are evaluated as individuals and not a combined directive. Given what I read in the above, a toggle in app.ini to allow an admin to disable Gitea from generating it's own CSP header has to be present, as the Gitea header may conflict with what they're running in their reverse proxy layer. |
|
Yes, own CSP header is problematic when reverse proxies "Add" instead of "Replace" the header, which I think is the most common configuration. So I think we should just put out a recommendation in docs initially. Also, I do not see inline scripts as the grave security problem that some sites make it out to be. If everything is first-party, a inline script is equivalent to a url-sourced script in terms of security. I would not recommend running third-party scripts on Gitea anyways. |
|
The main benefit of disallowing inline scripts is to proactively prevent XSS and other vulnerabilities from working even if someone manages to get a script tag in the DOM. I agree that the threat model is probably overprotective in some cases, but it's not just about whether there's an external script or not. |
|
Reading MDN nonce it does seem something that would be easy to support, just generate a random number per HTML request and add it to all resource tags (inline or not). If we set CSP ourselves in gitea, it will need extensive configurability so users can include 3rd party resources and the like, e.g. a format in config like |
|
I'm trying to remove inline JS scripts from Gitea, so that we can avoid My main problem is the inline script in templates/base/head_script.tmpl: does anyone have a any idea how to move it to a separate JS file? It is obtained mixing Go templates and Javascript. I'm not an expert on Go templates and can't find a solution to the above problem. The other inline scripts are not many and they do not mix templates and Javascript. I can list them using VS Code (don't consider the ones that start with
|
As one of the people who do a lot of Gitea frontend refactoring works, I would say that avoiding inline |
|
Thank you @wxiaoguang. I think that any reduction of inline scripts is useful for the security of Gitea, although this is an objective often overlooked in favor of others. Maybe I'm particularly sensitive, since the cybersecurity professor just taught us how to carry out XSS attacks 😂 I'll try to study the Gitea code better (and the Go language and its templates) and help out. |
|
Inline scripts can be exempted from CSP by adding a Also, I think there is nothing preventing us from serving a 1st-party CSP. Load balancers can always override or extend it. |
and others
There seems to be a bunch of inline scripts or style rules such as this that don't play nice with CSP. These should be replaced by a CSS class.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: