-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.0] Improve CSP #32893
[4.0] Improve CSP #32893
Conversation
administrator/components/com_csp/src/Controller/ReportController.php
Outdated
Show resolved
Hide resolved
administrator/components/com_csp/src/Controller/ReportController.php
Outdated
Show resolved
Hide resolved
Co-authored-by: Brian Teeman <brian@teeman.net>
Co-authored-by: Brian Teeman <brian@teeman.net>
…er.php Co-authored-by: Brian Teeman <brian@teeman.net>
Co-authored-by: Brian Teeman <brian@teeman.net>
Co-authored-by: Brian Teeman <brian@teeman.net>
Co-authored-by: Brian Teeman <brian@teeman.net>
…/31709 # Conflicts: # administrator/components/com_csp/forms/report.xml
Co-authored-by: Brian Teeman <brian@teeman.net>
When you publish a report (which is now renamed to enabled/disabled) the set value is used in the header of the CSP header. |
Click on the status icon This only happens in enforce mode and means that you cannot disable a line that is breaking your site without disabling com_csp first |
@rdeutz please re-open my pr to remove com_csp |
Yes but thats not an issue of com_csp but that the core still uses inline scripts. The intention for 4.x is the focus on the frontend, for that reason its also the default option. ;-) And when the complete process is followed meaning: report only, detect mode, review the reports, enforce mode. Than also the backend works. With the extensions done here even that can be avoided when the hashes have been added to the reports. CSP isnt as easy as just enabeling two options but with the tooling here it is much simpler than running all of that manually. |
You cant separate the two
That would be the undocumented process that I'be been requesting documentation for |
I agree with you, that CSP is not that easy and there are still some big gaps in the component, but I'm more in favour of disabling minor stuff we don't need and try to improve the rest. (Now as the component is tested the first time in a "real" environment) So for starter (I hope you're willing to continue giving feedback) I would suggest:
|
Just by enabling com_csp for the site (instead of the admin as I did before) you block 5 assets including the main banner image
I tested this before and made many of these comments before. However almost no one else has tested it because they simply didnt understand what it was or how to use it. Thats still the case and I am still the only person testing. I am aware that both the bug squad and cms release team have said that they are working on testing the release blockers so I can only assume that they are also not testing this because theydont understand it. Do you see a pattern here. Software merged before it was ready so it could be "fixed later" only for the originaly committer to abdon it for others to try and fix. All the while adding further delay to the release of J4. @bembelimen you should know this better than most as 15 months ago there was a debate about pulling workflows or rewriting as it was seen as THE release blocker for J4. Some of us pointed out that there were many release blockers and here we are 15 moths later still with the same release blockers.
I would change it so that the first column is the blocked element / directive. and then the individual reports eg url and sample are grouped as sub-record of that master row
I've been asking for this since the very first day as @zero-24 knows and still no signs of it. |
Yep, I know that the workflow was also on the brick, but I also hope, that you saw, that I try to hold my promises by fixing it. (And I'm aware, that there are still two RB concerning the workflow). I also see, that you spend a lot of time into the CSP, that's why I'm grateful, that you give feedback here. I'm willing to spend time to get this component release ready (probably by cutting different features out). But it will not work without you helping, so I would give you the choice: if you see that we get this component working, I'm willing to spend the time to finish this PR. If you say: no way, then we can stop and throw it away. |
Exactly which is why when you asked for two weeks I sat back and waited patiently
Just as I spent a lot of time testing workflows, atum and cassiopeia
What about the rest of the contributors. There are 46 voting members of the production team. Are you really saying that if I (not a member of any team) dont spend my time testing this then there is no one else?
Now who is being emotional ;) I can guarantee that if I say no way then the code wont be removed. If the release lead doesn't have the time to make decisions then hopefully the department lead will make those decisions. It shouldnt all be left to one person writing code and one person testing it |
Initial docs and help pages have been written long before a few other joomla 4 features have even been added to the docs ans how com_csp works haven been even recored on video and reported on in the magazine ;-) But as mentiond many times i'm happy to extend that docs with whatever is usefull. Given its changing here a bit again i will add the docs required label here and review the docs again once thats merged here.
Its not only you and Benjamin i'm also following here but have not found the time yet to test this PR but its still on my radar.
What browser? When the image directive is not set it should fallback to the default-src and therby allow all images loaded from the local site. When there are issues with that i would like to take a look into that browser. And what other settings do you have enabled? Without any rules set (no detect have been run) it should block google fonts but thats expected as it has not been allowed yet. |
Clean install with blog sample data
The first of those blocks the hero image |
Thats are all inline style issues and are blocked because inline styles are not allowed by your CSP. Using the report stuff done here you can whitelist them by using the hash and dont relay on unsafe-inline. |
You are completely missing the point. Simply enabling com_csp on a default joomla install should not break it. |
it's already disabled by default |
Agree but thats not an issue within the CSP Component but that some core stuff still uses inline styles or inline scripts while it should not. So the sample data has to be patched in this case. ;-) |
The component only Highlights that issue now, so please dont shout the mesanger ;-) |
Whichever way you look at it and pass the blame. Enabling the component breaks both the site and the admin. They both work perfectly without it. Even if you know what csp is you would not expect it to break a default installation just by turning it on. The fact that you dont see it as a release blocker or worthy of your time to test it is because like far too many members of the production department you never use Joomla in the real world. @bembelimen now I see why people don't test this. they are told that they dont know what they are doing or that the error is elsewhere. To answer your previous question if I was still willing to test your changes - the answer is therefore no. I would rather clean the fluff from my navel, it would be more productive. |
that's my point |
Thanks for your past tests. |
@bembelimen thanks for trying |
Just for future reference it is NOT the sample data that has the background style - it is a core functionality of the custom module |
I'm sad that this PR got closed :( I would still be happy to work and improve the CSP stuff.
Thats true for most security systems right? When you install a lock on your door you cant got into it without giving the key to everyone who still should use it (setting up an allowlist) but it works too without it but than everyone can come into that door. And without that seccond step the door is locked for everyone else but yourself.
Agree but the people that know CSP also know that when i still use inline styles or scripts on my site there is no magic button i can hit and expect everything to work too as CSP is usually very site specific and intended to block inline stuff by default.
That has not been said here right? The label is also here right?
Its 5 days since this PR was opend, I'm sorry that i dont test all PRs i'm looking into insted after they are opend here? I only said i have not found yet the time to test it.
Point taken while the sample data also has a few places where it still uses inline styles too. I thourgh this would be one of them. |
Not every comment is addressed at Tobias. Yes it has been said here.
And how many months since people started reporting that it was not usable? Your analogy about the door is a good one. When you fit a door with a new lock you can still open the door with the key. You dont have to find a keymaker who is able to make a new key for you. Even if you did have to find a keymaker then the door would be closed for everyone and not left hanging on its hinges only partially ,opening and closing. The simple fact is that as I have said since day one this component is not suitable for inclusion in the core of joomla as it is beyond the skillset of the average user to configure. If it didn't break their site if they enabled it to see what it did it wouldn't be so bad but as it does then its really bad experience. As for the documentation do you really think that this is a correct description and enough information https://help.joomla.org/proxy?keyref=Help40:Content_Security_Policy_Reports&lang=en |
Pull Request for Issue #31709 .
Summary of Changes
Rebuild of the com_csp extension.
Instead of generic configuration one can apply specific entries.
Changes:
Testing Instructions
Probably needs some fine tuning here and there. Feedback is really appreciated.
Known issues
not fully supported. Not sure if they're needed in the first version, could be added later.
@zero-24