Replace Cross-Origin-Resource-Policy: 'same-site' with 'same-origin' #6768
Conversation
|
Hi @evilaliv3, thank you for this PR and for all of your contributions to SecureDrop <3 Changes look good (CI failure known/unrelated), we just want to make sure this doesn't affect any of the Onion Name aliasing before we proceed. |
The configuration is recommended by the official Mozilla documentation that has a warning that inform that same-site is considered less secure than an origin. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy
zenmonkeykstop
force-pushed
the
patch/set-corp-same-origin
branch
from
c06cfdc
to
46af002
Compare
|
Thanks for this @evilaliv3, rebasing to pull in some CI tests. It might need a postint change to update servers which already have the |
|
Hey @evilaliv3, I just added a line in the securedrop-app-code postinst to handle upgrade cases, and I'm going to update the test plan in the issue description. Hope that's alright :) |
There was a problem hiding this comment.
Upgrade scenario looks good! Your merge, @rocodes.
-
Provision staging servers (VMs OK) against tip of develop
-
Inspect
/etc/apache2/sites-available/{source,journalist}.confand notice aCross-Origin-Resource-Policyof "same-site"vagrant@app-staging:~$ grep "Cross-Origin-Resource-Policy" /etc/apache2/sites-available/*.conf /etc/apache2/sites-available/journalist.conf:Header onsuccess unset Cross-Origin-Resource-Policy /etc/apache2/sites-available/journalist.conf:Header always set Cross-Origin-Resource-Policy "same-site" /etc/apache2/sites-available/source.conf:Header onsuccess unset Cross-Origin-Resource-Policy /etc/apache2/sites-available/source.conf:Header always set Cross-Origin-Resource-Policy "same-site"
-
Check out this branch, and run
make build-debs. Copy the securedrop-app-code package you built to the app server (scp $PATH_TO_YOUR_SECUREDROP_ROOT_DIR/build/focal/securedrop-app-code_2.6.0~rc1+focal_amd64.deb sdadmin@<app.server.ip.address>:). -
Install the .deb using dpkg, and inspect the apache2 config files again. Observe a
Cross-Origin-Resource-Policyof "same-origin"vagrant@app-staging:~$ grep "Cross-Origin-Resource-Policy" /etc/apache2/sites-available/*.conf /etc/apache2/sites-available/journalist.conf:Header onsuccess unset Cross-Origin-Resource-Policy /etc/apache2/sites-available/journalist.conf:Header always set Cross-Origin-Resource-Policy "same-origin" /etc/apache2/sites-available/source.conf:Header onsuccess unset Cross-Origin-Resource-Policy /etc/apache2/sites-available/source.conf:Header always set Cross-Origin-Resource-Policy "same-origin"
|
Thanks @cfm. Before merge, can you confirm your apache2 service on the app server comes back up without error? Having a problems on my app server staging VM today but may be unrelated. |
|
I've retested the upgrade scenario in a fresh staging environment and see no problems: vagrant@app-staging:~$ sudo cat /var/lib/tor/services/sourcev3/hostname
4uni4nncsyiebfgib3lvjjutxsr4ylis42ba7hss6mtdpfhxpispcvyd.onion
vagrant@app-staging:~$ torify curl -Is 4uni4nncsyiebfgib3lvjjutxsr4ylis42ba7hss6mtdpfhxpispcvyd.onion | grep "Cross-Origin-Resource-Policy"
Cross-Origin-Resource-Policy: same-site
vagrant@app-staging:~$ sudo apt install ./securedrop-app-code_2.6.0~rc1+focal_amd64.deb
vagrant@app-staging:~$ torify curl -Is 4uni4nncsyiebfgib3lvjjutxsr4ylis42ba7hss6mtdpfhxpispcvyd.onion | grep "Cross-Origin-Resource-Policy"
Cross-Origin-Resource-Policy: same-origin |
The configuration is recommended by the official Mozilla documentation that has a warning that inform that same-site is considered less secure than an origin. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy
Test plan:
Clean install
make build-debs,make staging./etc/apache2/sites-available/{source,journalist}.confare provisioned as in this PRUpgrade testing
/etc/apache2/sites-available/{source,journalist}.confand notice a Cross-Origin Resource Policy of "same-site"make build-debs. Copy the securedrop-app-code package you built to the app server (scp $PATH_TO_YOUR_SECUREDROP_ROOT_DIR/build/focal/securedrop-app-code_2.6.0~rc1+focal_amd64.deb sdadmin@<app.server.ip.address>:).