Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with CSP reverting to report-only mode #183

Closed
spdawson opened this issue Oct 17, 2015 · 6 comments
Closed

Problem with CSP reverting to report-only mode #183

spdawson opened this issue Oct 17, 2015 · 6 comments

Comments

@spdawson
Copy link

Strange problem, which I probably don't understand well enough to explain...

CSP configured with enforce: true; works well until I pull in a third-party JavaScript that injects an iframe into the page. With the JavaScript in place, the first request after an app restart correctly enforces CSP; all subsequent requests however, return a Content-Security-Policy-Report-Only: header.

I'm struggling to understand how injecting an iframe into the page can be causing secure_headers apparently to ignore my configured enforce: true for the CSP.

Any help greatly appreciated.
@oreoshake
Copy link
Contributor

That's very strange and I can't say I have a clue as to what is going on. Are you overriding the global settings at all? Overrides are stored as class instance variables so I could see a path where one request can affect others, but you'd have to be using secure_headers in an unsupported fashion which isn't exactly easy to stumble upon.

@spdawson
Copy link
Author

Thanks for your reply. I don't think I'm doing anything particularly exotic. I can reproduce this in a newly-created Rails application, as follows.

  • Create a new Rails app
  • Add a welcome controller, with an index action; set the default route to welcome#index
  • Add gem 'secure_headers' to Gemfile; run bundle
  • Call ensure_security_headers in ApplicationController
  • Add initializer for secure_headers, as follows
::SecureHeaders::Configuration.configure do |config|
  config.csp = {
    enforce: true,
    default_src: [
      "*",
      "'unsafe-inline'",
      "'unsafe-eval'",
    ]
  }
end

So far, so good. This next part is what causes the problem.

  • In the application layout, add the following to the <head>
  <%= javascript_include_tag "//#{my_domain_name_here}.groovehq.com/widgets/#{my_groove_app_id_here}/ticket.js", async: true %>
  • Start the rails server with bundle exec rails s
  • Load app in browser; fine
  • Refresh page: JavaScript console contains warning about CSP in report-only mode but with no report URI configured

@oreoshake
Copy link
Contributor

Thanks, I can reproduce this. Ugh, this is a nasty regression. I'll have a fix shortly and release a new gem when I figure out how far back this goes.

@oreoshake
Copy link
Contributor

OK this is only an issue with 2.4.1

@oreoshake oreoshake mentioned this issue Oct 20, 2015
Merged
@oreoshake
Copy link
Contributor

I just pushed 2.4.2. Thanks for reporting this!

@spdawson
Copy link
Author

Wow, that's great. Thanks very much. Tested with version 2.4.2, and the problem is indeed resolved.

infertux added a commit to buckybox/webstore that referenced this issue Oct 21, 2015
@infertux
Fix regression bug in secure_headers 2.4.1
ac38f07 
github/secure_headers#183
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spdawson @oreoshake