You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
it would also be useful in cases like you want to see images in a message but not really 100% trust there can never be bad content (an example is if you receive webhook, the sender might not have properly sanitized the markdown)
Describe the solution you'd like
A config or admin option to whitelist which URLs can be rendered. On the WebUI we serve a CSP header to prevent images not in the whitelist from being updated. Something like (untested):
An option to globally disable all remote images (will need to rely on the markdown renderer's correctness).
Additional context
The logic of interpolating %CONFIG% when serving the UI at runtime may need to be refactored. The general idea is to precompute the script content, hash it and write it in the CSP header.
The text was updated successfully, but these errors were encountered:
This should already be configurable via additional headers, at least for the browser part. I'm not sure if I'd want to change the default here, as this likely breaks some setups.
Do you think this should be a native feature, or would a hardening guide on the website be enough?
The reason is I want it to be in the server is to make it consistent on all clients: we cannot expect every client (including our own Android version) to fully parse any valid CSP (the specs are huge and I don't think it is a good idea to loosely parse a CSP added via a reverse proxy, may break things or cause bypass). I think it would be good if we can just take the subset (URL expressions) which would work across all clients.
Okay, understood, can be added to gotify. Do you know how other apps with user generated content handle this? It would be cool to have a client independent solution.
I am thinking about two ways to do this, one is a /meta endpoint for all the server-wide configuration/information, another one is to use one of the reserved message extras to set into the messages (which provides some more flexibility for potential message-specific policies but will make messages bigger).
Is your feature request related to a problem? Please describe.
It would be a strong protection against things like this:
GHSA-xv6x-456v-24xh
GHSA-3244-8mff-w398
it would also be useful in cases like you want to see images in a message but not really 100% trust there can never be bad content (an example is if you receive webhook, the sender might not have properly sanitized the markdown)
Describe the solution you'd like
A config or admin option to whitelist which URLs can be rendered. On the WebUI we serve a CSP header to prevent images not in the whitelist from being updated. Something like (untested):
Content-Security-Policy: default-src 'self'; img-src 'self' data: https://my.images.net/; media-src 'none'; script-src: https://gotify/static/js/; style-src: https://gotify/static/css/; style-src-attr 'self' 'unsafe-inline';
On the Android client we will probably need to implement the same algorithm: https://www.w3.org/TR/CSP/#match-url-to-source-expression
Describe alternatives you've considered
An option to globally disable all remote images (will need to rely on the markdown renderer's correctness).
Additional context
The logic of interpolating
%CONFIG%
when serving the UI at runtime may need to be refactored. The general idea is to precompute the script content, hash it and write it in the CSP header.The text was updated successfully, but these errors were encountered: