Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce security-related HTTP response headers recommended by https://observatory.mozilla.org/ #1513

Open
nodiscc opened this issue Aug 4, 2020 · 7 comments
Open

Enforce security-related HTTP response headers recommended by https://observatory.mozilla.org/ #1513

nodiscc opened this issue Aug 4, 2020 · 7 comments
Labels
enhancement security
Milestone
1.0.0

Comments

@nodiscc
Copy link
Member

nodiscc commented Aug 4, 2020
edited
Loading

In ApiMiddleware.php, Shaarli sets a few HTTP response headers ( Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Origin). We could augment this list with security-related HTTP headers recommended by https://observatory.mozilla.org/, and add these headers to all Shaarli HTTP responses (not only the API).

A vanilla Shaarli installation should pass most tests from the observatory, with minimal configuration required on the webserver side.

For instance we are missing the Content-Security-Policy header - I use to set a default, restrictive CSP at the webserver level but this is not documented - then it must be relaxed specifically for this plugin.
@nodiscc nodiscc mentioned this issue Aug 4, 2020
Merged
@nodiscc nodiscc added this to the 1.0.0 milestone Sep 12, 2020
@nodiscc
Copy link
Member Author

nodiscc commented Oct 4, 2020

https://observatory.mozilla.org/analyze/demo.shaarli.org

Rating: D
Score: 35/100
Tests Passed: 6/11

image

@hydrargyrum
Copy link

Since the web app does not require external resources, the CSP header could be set to something like default-src 'self', right? Maybe it should require 'unsafe-inline' too.

@nodiscc
Copy link
Member Author

nodiscc commented Aug 10, 2022

I have it set to "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com; frame-ancestors 'none'", youtube URLs are only needed for the playvideos plugin.

I have not tried to replace script-src with default-src

@thican thican mentioned this issue Nov 7, 2024
Merged
@thican
Copy link

thican commented Nov 8, 2024

Hello,

I think we should make a list of CSP violations for a default CSP with script-src 'self'; and style-src 'self'; so we can answer those issues. Using sources like unsafe-inline defeat the whole purpose of CSP.
Note: I personally added exceptions with source https://* for img-src and media-src, useful for external thumbnails and such.

I have a question about the vintage theme, is it still supported? I see multiple inline javascript contents, but I am not sure if we should fix them.

I also confirm my web browser reports violation with plugin playvideos but it looks like the issue comes from the jquery file shipped within this plugin, version 1.11.2 which seems quite old.
Shouldn’t we try to update it to see if this answers this CSP violation?

About style-src, the only place I see a violation is in the cloud tags page.
After reflection, nonce is not the best solution IMHO, as it requires to set CSP header which is not the case yet, and then removes the possibility to let the web host to set this header.
Class with exhaustive list of values in a dynamic CSS file could be a solution.

@nodiscc
Copy link
Member Author

nodiscc commented Nov 9, 2024

make a list of CSP violations for a default CSP with script-src 'self'; and style-src 'self';

👍

the vintage theme, is it still supported?

I wouldn't bother fixing those issues for the vintage theme right now, unless you use it personally.

Shouldn’t we try to update [playvideos jquery file]

Worth trying, and checking if that resolves CSP issues (and if the plugin still works with an updated jquery)

@thican
Copy link

thican commented Nov 16, 2024

Hello,

Thanks for the merging of #2103.
About the vintage theme, no I don’t use it. Also I guess it should have the same level of quality than the default theme since it is shipped by the project; hence my question.

About the Content-Security-Policy that I use, I updated it a bit:
default-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'

This won’t work (currently) for the playvideos module since this one uses Youtube’s content, as already mentioned in its documentation.
Its jQuery and documentation about CSP should be updated to avoid an unsafe policy.

And I guess that’s it, which is pretty good news.

@thican
Copy link

thican commented Nov 16, 2024

I tested the plugin playvideos with only modifying the host’s CSP, it works.
As modifications:

  • for script-src, adding https://www.youtube.com (i.e script-src 'self' https://www.youtube.com;);
  • for frame-src, adding https://www.youtube.com (i.e frame-src 'self' https://www.youtube.com;).

Full value:
default-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; script-src 'self' https://www.youtube.com ; connect-src 'self'; frame-src 'self' https://www.youtube.com; img-src 'self'; style-src 'self'; font-src 'self'

I still see in the console one CSP violation with jQuery version 1.11.2, however with jQuery 3.7.1, this message is gone.

@thican thican mentioned this issue Nov 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
3 participants
@hydrargyrum @nodiscc @thican