Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Content Security Policy #2134

Open
ScottHelme opened this issue Aug 21, 2016 · 6 comments
Open

Add support for Content Security Policy #2134

ScottHelme opened this issue Aug 21, 2016 · 6 comments
Labels
feature security

Comments

@ScottHelme
Copy link

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

The biggest problem for deploying CSP in YOURLS right now is that there are several inline scripts in pages that means the 'unsafe-inline' keyword is required in a CSP, vastly reducing the protection offered. Inline script tags are injected into pages in many locations such as:

https://github.com/YOURLS/YOURLS/blob/master/includes/functions-html.php#L871

If these scripts could be externalised then deploying CSP in YOURLS would require minimal additional effort as content is loaded from the host. For testing purpose you can issue the following HTTP response header to configure CSP:

Content-Security-Policy-Report-Only: default-src 'self'

This header will not have any negative effects as it is report only mode, check the console as you navigate the site for errors. I'm happy to provide input where needed!
@ozh
Copy link
Member

ozh commented Aug 23, 2016

Issue left open to keep this in mind, but most inline scripts (especially in stat pages) would be quite a burden to externalize I think

@ScottHelme
Copy link
Author

ScottHelme commented Aug 23, 2016
edited

Having had a bit more of a look around I can see what you mean. There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Content-Security-Policy-Report-Only: default-src 'self' 'nonce-abc123'

You inject a random nonce into the CSP header and then add that to the nonce attribute of script or style tags on the pages.

<script nonce="abc123">alert("Hi!");</script>

This way the browser can still effectively whitelist our inline content and block any malicious scripts/styles.

@LeoColomb
Copy link
Member

@ScottHelme

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

Yes. You're absolutely right.

There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Yes again. But currently YOURLS is absolutely not oriented for CSP compliance, and doing it would introduce a complete YOURLS rewrite (a least for the front end).

@ScottHelme
Copy link
Author

@LeoColomb you could do this using the nonce mechanism quite easily without rewriting any code. All you need to do is insert the nonce into the CSP header and then inject the nonce attribute into script tags 👍

@albocc
Copy link

albocc commented Aug 30, 2016

@LeoColomb @ScottHelme randomly generated for each request of course ;-)

@ScottHelme
Copy link
Author

@albocc yes, of course, but that doesn't have any requirement for them to rewrite existing code to accommodate it :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ozh @LeoColomb @ScottHelme @albocc