New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Content Security Policy #2134

Open
ScottHelme opened this Issue Aug 21, 2016 · 6 comments

Comments

Projects
None yet
4 participants
@ScottHelme

ScottHelme commented Aug 21, 2016

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

The biggest problem for deploying CSP in YOURLS right now is that there are several inline scripts in pages that means the 'unsafe-inline' keyword is required in a CSP, vastly reducing the protection offered. Inline script tags are injected into pages in many locations such as:

https://github.com/YOURLS/YOURLS/blob/master/includes/functions-html.php#L871

If these scripts could be externalised then deploying CSP in YOURLS would require minimal additional effort as content is loaded from the host. For testing purpose you can issue the following HTTP response header to configure CSP:

Content-Security-Policy-Report-Only: default-src 'self'

This header will not have any negative effects as it is report only mode, check the console as you navigate the site for errors. I'm happy to provide input where needed!

@ozh

This comment has been minimized.

Show comment
Hide comment
@ozh

ozh Aug 23, 2016

Member

Issue left open to keep this in mind, but most inline scripts (especially in stat pages) would be quite a burden to externalize I think

Member

ozh commented Aug 23, 2016

Issue left open to keep this in mind, but most inline scripts (especially in stat pages) would be quite a burden to externalize I think

@ScottHelme

This comment has been minimized.

Show comment
Hide comment
@ScottHelme

ScottHelme Aug 23, 2016

Having had a bit more of a look around I can see what you mean. There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Content-Security-Policy-Report-Only: default-src 'self' 'nonce-abc123'

You inject a random nonce into the CSP header and then add that to the nonce attribute of script or style tags on the pages.

<script nonce="abc123">alert("Hi!");</script>

This way the browser can still effectively whitelist our inline content and block any malicious scripts/styles.

ScottHelme commented Aug 23, 2016

Having had a bit more of a look around I can see what you mean. There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Content-Security-Policy-Report-Only: default-src 'self' 'nonce-abc123'

You inject a random nonce into the CSP header and then add that to the nonce attribute of script or style tags on the pages.

<script nonce="abc123">alert("Hi!");</script>

This way the browser can still effectively whitelist our inline content and block any malicious scripts/styles.

@LeoColomb

This comment has been minimized.

Show comment
Hide comment
@LeoColomb

LeoColomb Aug 29, 2016

Member

@ScottHelme

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

Yes. You're absolutely right.

There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Yes again. But currently YOURLS is absolutely not oriented for CSP compliance, and doing it would introduce a complete YOURLS rewrite (a least for the front end).

Member

LeoColomb commented Aug 29, 2016

@ScottHelme

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

Yes. You're absolutely right.

There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Yes again. But currently YOURLS is absolutely not oriented for CSP compliance, and doing it would introduce a complete YOURLS rewrite (a least for the front end).

@ScottHelme

This comment has been minimized.

Show comment
Hide comment
@ScottHelme

ScottHelme Aug 29, 2016

@LeoColomb you could do this using the nonce mechanism quite easily without rewriting any code. All you need to do is insert the nonce into the CSP header and then inject the nonce attribute into script tags 👍

ScottHelme commented Aug 29, 2016

@LeoColomb you could do this using the nonce mechanism quite easily without rewriting any code. All you need to do is insert the nonce into the CSP header and then inject the nonce attribute into script tags 👍

@albocc

This comment has been minimized.

Show comment
Hide comment
@albocc

albocc Aug 30, 2016

@LeoColomb @ScottHelme randomly generated for each request of course ;-)

albocc commented Aug 30, 2016

@LeoColomb @ScottHelme randomly generated for each request of course ;-)

@ScottHelme

This comment has been minimized.

Show comment
Hide comment
@ScottHelme

ScottHelme Aug 31, 2016

@albocc yes, of course, but that doesn't have any requirement for them to rewrite existing code to accommodate it :-)

ScottHelme commented Aug 31, 2016

@albocc yes, of course, but that doesn't have any requirement for them to rewrite existing code to accommodate it :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment