[BUG] Latex-Support plugin doesn't implement CSP rules

[sherlcok314159]

Describe the bug
Latex-Support plugin does not work. It seems like the old latex plugin does not consider CSP rules.

To Reproduce
Just install the latex plugin at here and then you will find the error.

Expected behavior
It should work smoothly.

Screenshots
None of latex is rendered.

Environment information (please complete the following information):

• Device: MacOS
• OS: Ubuntu 20.04
• Browser: Firefox / Edge
• FreshRSS version: 1.23.1
• PHP version: 8.2.7
• Installation type: Docker-compose

[math-GH]

Thanks for bringing up this issue. Please use the issue tracker of this extension: https://github.com/aledeg/xExtension-LatexSupport/issues

(Ping @aledeg )

[sherlcok314159]

Hi! I am not intended to use this issue tracker. However, the latest commit of that plugin is 3 years ago. I have no way but to ask here. And this issue can be general for others who developing plugins or inserting something. I hope you can answer it if available.

[math-GH]

I thought that the issue tracker of this extension is available for everyone. I apologize.

This extension uses inline code that is prohibited by the CSP (Content security policy) of FreshRSS. It is an important security layer. The fix needs to be done by the extension itself.

Could you please give some example feeds with LaTeX code? It would help to understand the issue better.

[sherlcok314159]

Fine. You can try this feed with a CSS selector as #PostContent. Thanks for the quick response.

[Frenzie]

(I rather doubt I have any special permissions there, opened one at aledeg/xExtension-LatexSupport#3.)

[sherlcok314159]

any help?

[aledeg]

I'll look into that

[aledeg]

Hi! I am not intended to use this issue tracker. However, the latest commit of that plugin is 3 years ago. I have no way but to ask here. And this issue can be general for others who developing plugins or inserting something. I hope you can answer it if available.

There was no issue so far. There is no need to change when it's working. That's why there was no commit.

[sherlcok314159]

Sorry. I beg to differ. Have you tried my feed yet? How could you say there was no issue? The console errors are almost bombarded. Or are you using very old freshrss?

[aledeg]

There was no issue so far. I will look into your feed.
I am not saying that there is no error in your feed. Just that nobody had problem in the past.

[aledeg]

Please paste your feed configuration (screenshot for instance). I cannot add it on my instance with the limited information I have.

[sherlcok314159]

Fine. You can try this feed with a CSS selector as #PostContent. Thanks for the quick response.

Here. Tks!

[aledeg]

It's not really a CSP problem. It's how extensions add scripts. Mathjax scripts load other scripts by using their relative paths. That not how extensions work in FreshRSS.
I need to find a way to fix that.

The file html.js is not loaded. I guess that nobody had a problem with that before. I certainly don't.

It's under investigation.

[aledeg]

Here is a working example:

The extension works most of the time.

[sherlcok314159]

The problem may lie in the loading order. When I use feeds with full-article selector, it almost fails. For instance, this feed is not working either.

The feed is https://lilianweng.github.io/index.xml with CSS selector as ".post-single".

[aledeg]

@Alkarex Is there a way to alter the CSP from an extension? I can make this extension work but I need to tweak the CSP rules. Thank you

[sherlcok314159]

Thanks for your help! If we fail to alter the CSP by an extension, can the user alter the CSP by rewriting the FreshRSS.php and replacing the one in the container? For instance,

    volumes:
      - ./FreshRSS.php:/var/www/FreshRSS/app/FreshRSS.php

[Alkarex]

can the user alter the CSP

@sherlcok314159 The user way to alter the CSP is at Web server level (e.g. Apache), not at PHP level, which will fail at each FreshRSS update.

@aledeg So far, controllers have access to a method to redefine CSP:

FreshRSS/lib/Minz/ActionController.php

Lines 75 to 95 in b5445e1

	/**
	* Set CSP policies.
	*
	* A default-src directive should always be given.
	*
	* References:
	* - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
	* - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
	*
	* @param array<string,string> $policies An array where keys are directives and values are sources.
	*/
	protected function _csp(array $policies): void {
	if (!isset($policies['default-src'])) {
	$action = Minz_Request::controllerName() . '#' . Minz_Request::actionName();
	Minz_Log::warning(
	"Default CSP policy is not declared for action {$action}.",
	ADMIN_LOG
	);
	}
	$this->csp_policies = $policies;
	}

I have not checked how practical this is for extensions, but that could be extended if needed (I will be with intermittent Internet connectivity the coming two weeks)

[aledeg]

Thank you for your answer.
I've seen that method but I can figure out how to use it from an extension. I need to dig a little bit.

[sherlcok314159]

Thanks for your help again!!!

[sherlcok314159]

Hi, aledeg, any update? Is there anything I can help with? :-)

[aledeg]

Hi, aledeg, any update? Is there anything I can help with? :-)

I did not have time to look into it. But I will.

@Alkarex I think we might need something to interact with the CSP directly from the extension. Probably a hook is a way to go. If you think this is a good idea, I can work on that. If you don't, what do you have in mind? Thank you!

[Alkarex]

@aledeg A hook sounds like a possibility, yes. Another approach could be to add a method to the base extension class, if needed.

[aledeg]

@sherlcok314159 there is a fix to use the library from a CDN. You need the edge branch for FreshRSS and the last release of the extension. Let me know if this works for you.

[sherlcok314159]

Hi! I try the edge branch and the latest extension. It did not work.

services:

  freshrss:
    image: freshrss/freshrss:edge
    # Optional build section if you want to build the image locally:
    # build:
    #   # Pick #latest (stable release) or #edge (rolling release) or a specific release like #1.21.0
    #   context: https://github.com/FreshRSS/FreshRSS.git#edge
    #   dockerfile: Docker/Dockerfile-Alpine
    container_name: freshrss
    hostname: freshrss
    restart: unless-stopped

And the console screenshot is below (edge):

Here is the screenshot for firefox:

[aledeg]

While I do have some errors, the content is properly modified. See capture

When I am fixing errors, the content disappears. I have no idea why.

[aledeg]

Same entry when unsafe-inline is authorized and there are no more errors. There are a lot of warnings though. All related to styling.

[Frenzie]

The LaTeX JS probably requires inline styles to render the math and the CSP rules disable that. I'm not really sure what disabling inline styles is good for at all tbh, but that aside. But what doesn't work about unsafe-inline exactly?

[aledeg]

That's the weird thing. When the rules are not authorized it works (see first capture). But it does not work when the rules are authorized (see second capture). I am lost :)

[sherlcok314159]

Can we just let the user decide whether to open these CSP rules? If nothing is blocked, things should be fine.

[sherlcok314159]

Any update please?

[math-GH]

Can we just let the user decide whether to open these CSP rules? If nothing is blocked, things should be fine.

see #6437 (comment)

[sherlcok314159]

For anyone who wants to display equation well in the freshrss, here are two steps for you:

1. Modify var/www/FreshRSS/app/layout/layout.phtml to replace CSP rules. Note that the below rules can be unsafe. Use it carefully.

<?php
	declare(strict_types=1);
	/** @var FreshRSS_View $this */
	FreshRSS::preLayout();
	header("Content-Security-Policy: default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes'"); 
?>

2. I quit using freshrss plugin to solve this. I borrow code from one Tampermonkey script and modify some places for correct font size and equation reference.

// ==UserScript==
// @name         MathJax For All
// @namespace    http://tampermonkey.net/
// @version      1.0
// @description  Load MathJax and Polyfills on specified pages
// @author       Apricity
// @match        http*://*/*
// @grant        none
// ==/UserScript==

if (window.MathJax === undefined) {
    var mjscr = document.createElement("script");
    mjscr.type = "text/javascript";
    mjscr.async = true;
    mjscr.src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js";
    mjscr.text = 'MathJax.Hub.Config({extensions:["tex2jax.js"],'+"tex2jax:{inlineMath:[['$','$']]"
        +',skipTags:["script","noscript","pre","code"]},jax:["input/TeX","output/CommonHTML"],CommonHTML: {minScaleAdjust:120},'
        +'TeX:{extensions:["autoload-all.js","noUndefined.js"], equationNumbers: { autoNumber: "AMS" }}'
        +'});MathJax.Hub.Startup.onload();';
    document.getElementsByTagName("head")[0].appendChild(mjscr);

    (new MutationObserver(function(mutationsList, observer) {
        let el = [];
        for (const mutation of mutationsList) {
            const node = mutation.addedNodes.item(0);
            if (node === null || node.nodeType !== 1 || node.className == "MathJax_Preview" || node.id.substring(0,7) == "MathJax" || node.className.substring(0,4) == "mjx-" || node.isContentEditable) break;
            if (node.offsetParent !== null && node.innerText != "") el.push(node);
        }
        if (el.length != 0) MathJax.Hub.Queue(["Typeset", MathJax.Hub,el,{}]);
    })).observe(document,{subtree: true, childList: true});

Then, everything is fine.

[Frenzie]

Unsafe is overstating it a bit imho. :-) All <script> tags (and much more) are filtered from feeds before database insertion.