-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some security flaws in Jellyfin #1885
Comments
Might be worth modifying the documentation for reverse proxies with notes about general security headers. They're not critically important in most cases, but they're not terrible practice either. The CSP is the most "difficult" part to deal with as you somewhat have to work out a lot of settings and the rabbit hole goes pretty deep if you want a "perfectly" restricted CSP without breaking functionality and I believe as it stands jellyfin-web does a fair bit of "unsafe" inlines or possibly evals. For example, my nginx config I have the following in my server directive (updated 10/19/19)
My CSP is pretty lax and could be restricted more for an improved "score", but at a glance it seems functional with jellyfin, a lot more effort would probably have to go in if you have multiple applications on the same subdomain. |
Definitely something very useful for those of us who don't know where to start, and very easy to do for someone who has the knowledge. @iotku Thank you very much for sharing your nginx reverse proxy configuration. Do you know, by chance, what would be the equivalent config for Apache? |
@iotku would you mind making a PR to https://github.com/jellyfin/jellyfin-docs adding those directives? This also seems to resonate with #879 |
As it stands currently a lot of the benefit of the CSP would be had if we didn't need script-src 'unsafe-inline'. https://csp.withgoogle.com/docs/why-csp.html
I believe most of that would be on the jellyfin-web side of things or perhaps the react client in the future. |
I'm not sure how much work it would be to remove all inline scripts except I have also seen issues with the current CSP when running the web client on its own using nginx, but hadn't looked into the required changes yet. |
Most of the onclick elements I hit were on the dashboard (like the shutdown button) and a quick search of jellyfin-web looks like there's some on the setup wizard as well. I've been fairly successful viewing media/searching etc without hitting any csp blocks outside of the dashboard, but I suspect there might be some I missed. I believe the reports plugin also utilizes inline scrips, though I haven't toyed with all the plugins and again that's on the dashboard. Of particular usefulness is adding 'report-sample' to script-src while testing as it gives much more detail in the console about what triggered it |
much of this has been addressed according to the linked issues. |
Hello everyone. I noticed that running a scan towards some public Jellyfin server from https://observatory.mozilla.org reveals a few security flaws. More specifically:
I'm not an HTML security expert, but according to Mozilla these are not too difficult to correct (the webpage linked above gives information about how to do it). Could it be done in future versions of Jellyfin?
The text was updated successfully, but these errors were encountered: