-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Technique] Améliorer la CSP #2626
Conversation
cbf20af
to
a261510
Compare
@@ -0,0 +1,16 @@ | |||
parameters: | |||
csp_parameters: | |||
default-src: "'none'" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Donc la CSP est maintenant définie dans ce fichier. Par défaut tout est à none, et on accepte que ce dont on a besoin
parameters: | ||
csp_parameters: | ||
default-src: "'none'" | ||
script-src: "'self' 'unsafe-inline' 'unsafe-eval' https://cdn.matomo.cloud/histologe.matomo.cloud/matomo.js https://cdn.jsdelivr.net/npm/leaflet@1.7.1/dist/ https://cdn.jsdelivr.net/npm/leaflet.markercluster@1.5.3/dist/ https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/ https://cdn.jsdelivr.net/npm/tippy.js@6/dist/ https://cdn.jsdelivr.net/npm/quill@2.0.2/dist/ https://cdn.jsdelivr.net/npm/tinymce@7.1.2/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on garde 'unsafe-unline'
pour la rétrocompatibilité avec les anciens navigateurs, mais elle n'est pas utilisée pour les navigateurs qui acceptent les nonces (qui sont ajoutés dans le service), d'où les soucis avec tinyMCE
on garde 'unsafe-eval'
pour le formulaire
On cible chacun des dossiers dont on a besoin plutôt qu'un général https://cdn.jsdelivr.net
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Le fait d'utiliser des nonces pour les script et les styles désactivent donc le unsafe-inline sur les navigateurs récents. D'où le besoin d'externaliser au maximum les scripts et les styles dans d'autres fichiers chargés
|
||
.fr-display-none { | ||
display: none; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ajout de style pour virer des styles inline par ailleurs
@@ -0,0 +1,56 @@ | |||
const setBadge = (el) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
externalisation d'un script
@@ -62,6 +63,11 @@ services: | |||
- '../src/Kernel.php' | |||
- '../src/Tests/' | |||
|
|||
App\EventListener\ContentSecurityPolicyListener: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ajout du service
@@ -210,11 +210,6 @@ document?.querySelectorAll(".fr-pagination__link").forEach((e => { | |||
})))) | |||
})) | |||
})); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tout le code sur les badges a été déplacé dans assets/controllers/search_filter_form.js
} | ||
badge.remove(); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tout le code sur les badges a été déplacé dans assets/controllers/search_filter_form.js
$request = $event->getRequest(); | ||
|
||
$scriptNonce = bin2hex(random_bytes(16)); | ||
$styleNonce = bin2hex(random_bytes(16)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
création de nouveaux nonces à chaque requête
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seulement pour les scripts
'form-action '.$cspParameters['form-action'].'; '. | ||
'frame-ancestors '.$cspParameters['frame-ancestors'].'; '. | ||
'media-src '.$cspParameters['media-src'].'; '. | ||
'require-trusted-types-for '.$cspParameters['require-trusted-types-for']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
formation de la csp avec ce qui est dans le yaml en ajoutant les noncees
@@ -137,7 +137,7 @@ | |||
<label class="fr-label" for="signalement-edit-nde-conso-energie"> | |||
Consommation énergétique | |||
</label> | |||
<input class="fr-input fr-col-10" style="display: inline;" pattern="[0-9]*" inputmode="numeric" type="number" id="signalement-edit-nde-conso-energie" name="consommationEnergie" value="{{ signalementQualificationNDE.details.consommation_energie }}"> | |||
<input class="fr-input fr-col-10 fr-display-inline" pattern="[0-9]*" inputmode="numeric" type="number" id="signalement-edit-nde-conso-energie" name="consommationEnergie" value="{{ signalementQualificationNDE.details.consommation_energie }}"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on utilise une classe css plutôt que du style inline
@@ -73,7 +73,7 @@ | |||
<div class="modal-upload-list-section" id="modal-upload-file-dynamic-content"> | |||
<div class="modal-upload-list"></div> | |||
</div> | |||
<div style="display:none"> | |||
<div class="fr-display-none"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idem
@@ -54,7 +54,7 @@ | |||
{% if is_granted('ROLE_ADMIN') %} | |||
<div class="fr-col-12 fr-col-md-6"> | |||
<label class="fr-label" for="bo-filters-territories"><strong>Filtrer par territoire</strong></label> | |||
<select id="bo-filters-territories" class="fr-select" onchange="setBadge(this)"> | |||
<select id="bo-filters-territories" class="fr-select select-search-filter-form"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on n'utilise plus de script inline, et on ajoute une classe qui permet au code du nouveau controller assets/controllers/search_filter_form.js
de fonctionner
@@ -61,9 +61,9 @@ | |||
{% endblock %} | |||
{% block javascripts %} | |||
{{ encore_entry_script_tags('app') }} | |||
<script> | |||
<script nonce="{{ app.request.attributes.get('csp_script_nonce') }}"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utilisation d'un nonce pour tippy
tippy('.part-infos-hover', { | ||
content: (reference) => '<strong style="white-space: nowrap">' + reference.getAttribute('data-user') + '</strong>' + '<hr class="fr-pb-1v"><span style="white-space: nowrap">' + reference.getAttribute('data-mail') + '</span>', | ||
content: (reference) => '<strong class="fr-ws-nowrap">' + reference.getAttribute('data-user') + '</strong>' + '<hr class="fr-pb-1v"><span class="fr-ws-nowrap">' + reference.getAttribute('data-mail') + '</span>', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pas de style inline
templates/base.html.twig
Outdated
@@ -140,13 +144,62 @@ | |||
{% endif %} | |||
{% if 'back_signalement_view' in app.request.get('_route') %} | |||
<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/popper.min.js"></script> | |||
<script src="https://cdn.jsdelivr.net/npm/tippy.js@6/dist/tippy-bundle.umd.js"></script> | |||
<script src="https://cdn.jsdelivr.net/npm/tippy.js@6/dist/tippy.umd.min.js"></script> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changement de source tippy pour être CSP compliant
tinymce.init({ | ||
selector: 'textarea.editor', | ||
browser_spellcheck: true, | ||
license_key: 'gpl', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ajout d'une licence suite à utilisation d'un cdn
|
||
</script> #} | ||
|
||
<script nonce="{{ app.request.attributes.get('csp_script_nonce') }}"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ajout du nonce pour tinyMCE
@@ -79,7 +79,8 @@ Encore | |||
}) | |||
|
|||
.enableVueLoader(() => {}, { | |||
version: 3 | |||
version: 3, | |||
runtimeCompilerBuild: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Passage de toutes les apps VueJS en CSP compliant (c'était vraiment aussi simple que ça)
8024757
to
2c240cc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lecture et test OK
Pour garder une trace, @sfinx13 a trouvé la provenance de l'erreur Il s'agit de l'extension navigateur Vue DevTools... donc pas de souci pour la mise en ligne |
db32487
to
e9c2527
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK lecture et test
Ticket
#2609
Description
Tentative d'avoir une CSP plus stricte
⚠️ Il reste des erreurs à l'utilisation de tinyMCE
💡 Je viens de penser qu'en ne générant pas de nonces pour les styles, on n'aurait peut-être moins d'erreurs sur tinyMCE... car je viens de réaliser que j'ai fini par externaliser tous les styles et que je n'utilise plus
![image](https://private-user-images.githubusercontent.com/33071753/337666521-4e59ecf5-5752-44b2-9b33-b505bc088611.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2MjQ3OTAsIm5iZiI6MTcyMDYyNDQ5MCwicGF0aCI6Ii8zMzA3MTc1My8zMzc2NjY1MjEtNGU1OWVjZjUtNTc1Mi00NGIyLTliMzMtYjUwNWJjMDg4NjExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEwVDE1MTQ1MFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWIxZjVjMjEzYWI4YjU3NzdhODM1MzI2MmFmOGU3MjQ2MzkzZWI4NTVjOWE3YjE0ZDM4YjUyZmZhZTAwZTA1NDQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.X5RqaMofLjkTr_Gf7B3NLVao5BCv5wS6D2DuS9t0u5Q)
nonce="{{ app.request.attributes.get('csp_style_nonce') }}"
... à tester (et vérifier ensuite la CSP générée sur https://csp-evaluator.withgoogle.com/?csp=https://histologe.beta.gouv.fr pour voir si elle est meilleure... car il a l'air de ne pas trop tiquer sur l'utilisation de unsafe-inline sur les stylesEDIT : effectivement il ne reste que l'erreur dont je ne trouve pas la provenance :
Changements apportés
Pré-requis
Supprimer les variables SECURITY_CSP_HEADER_VALUE des fichiers d'environnement
npm run watch
Tests
require-trusted-types-for
n'est pas pris en compte par tous