Add support for Content Security Policy #2134

Open
ScottHelme opened this Issue Aug 21, 2016 · 6 comments

Projects

None yet

4 participants

@ScottHelme

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

The biggest problem for deploying CSP in YOURLS right now is that there are several inline scripts in pages that means the 'unsafe-inline' keyword is required in a CSP, vastly reducing the protection offered. Inline script tags are injected into pages in many locations such as:

https://github.com/YOURLS/YOURLS/blob/master/includes/functions-html.php#L871

If these scripts could be externalised then deploying CSP in YOURLS would require minimal additional effort as content is loaded from the host. For testing purpose you can issue the following HTTP response header to configure CSP:

Content-Security-Policy-Report-Only: default-src 'self'

This header will not have any negative effects as it is report only mode, check the console as you navigate the site for errors. I'm happy to provide input where needed!

@ozh
Member
ozh commented Aug 23, 2016

Issue left open to keep this in mind, but most inline scripts (especially in stat pages) would be quite a burden to externalize I think

@ScottHelme
ScottHelme commented Aug 23, 2016 edited

Having had a bit more of a look around I can see what you mean. There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Content-Security-Policy-Report-Only: default-src 'self' 'nonce-abc123'

You inject a random nonce into the CSP header and then add that to the nonce attribute of script or style tags on the pages.

<script nonce="abc123">alert("Hi!");</script>

This way the browser can still effectively whitelist our inline content and block any malicious scripts/styles.

@LeoColomb
Member

@ScottHelme

Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.

Yes. You're absolutely right.

There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.

Yes again. But currently YOURLS is absolutely not oriented for CSP compliance, and doing it would introduce a complete YOURLS rewrite (a least for the front end).

@ScottHelme

@LeoColomb you could do this using the nonce mechanism quite easily without rewriting any code. All you need to do is insert the nonce into the CSP header and then inject the nonce attribute into script tags 👍

@albocc
albocc commented Aug 30, 2016

@LeoColomb @ScottHelme randomly generated for each request of course ;-)

@ScottHelme

@albocc yes, of course, but that doesn't have any requirement for them to rewrite existing code to accommodate it :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment