CSP and Referrer-Policy meta tag not recognized #105
Comments
|
Yep, I've even got a comment about it in the code. :) https://github.com/mozilla/http-observatory/blob/master/httpobs/scanner/analyzer/headers.py#L34 Thanks for bringing this up! |
|
+1 We use CSP in meta only (except for frames which have to be in headers). Would be nice to have this reported more completely. |
|
I'm really hoping to get to this sometime this quarter. If not, early next quarter. It's definitely not being ignored, just something that I haven't had time to get to you. :) |
april
changed the title
This probably isn't ideal, couldn't really defend importing a heavy package like bs4 to myself when a simple regex can do the job. At the very least this pull request might encourage somebody to take another look at this or perhaps my simple approach is good enough. mozilla#105
|
Any update here? |
|
@travisspencer, do you have a test site I can use to verify my changes? Thanks! |
|
@april See https://vault.bitwarden.com to test |
|
Awesome! It's passing all my tests and your site went from a D+ to a B (CSP is now "unsafe in style-src only"). I've still got to revamp some of the other tests that use headers, such as Referrer-Policy. |
|
Fixed in #264 and now live. :) |
|
Sorry, @april , for not replying earlier. I just tested https://nordicapis.curity.io/oauth/v2/authorize and the results are wrong IMO. It gives a -20 for using unsafe-inline like this:
There is no way to support nonce in a backward-compatible way without |
|
Right, but you don't have a nonce inside As you can see here: Your policy does nothing to protect against unsafe-inline script. In this case, the Observatory is correct – your CSP is actually unsafe. |
|
are we looking at the same page or am I just daft? (I may well be) At that URL, I see this markup: <head>
<meta http-equiv="Content-Security-Policy" content="object-src 'none'; media-src 'none';">
<meta http-equiv="Content-Security-Policy" content="connect-src 'self'; font-src 'self'; child-src 'self';">
<meta http-equiv="Content-Security-Policy" content="img-src 'self'; style-src 'self' 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ';">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ';">
<style id="antiClickjack" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ">/*...*/</style>
<script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ">/*...*/</script>
<script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ">/*...*/</script>
</head>The 3rd meta tag allows styles ( So, this page is safe (as long as the user agent support's |
|
I wasn’t aware the CSP spec permitted four separate instances of the CSP
header. Is this a normal thing that works in HTTP Responses, unique to
<meta> tags, or actually not permitted?
…On Wed, Sep 6, 2017 at 12:20 Travis Spencer ***@***.***> wrote:
are we looking at the same page or am I just daft? (I may well be) At that
URL, I see this markup:
<head>
<meta http-equiv="Content-Security-Policy" content="object-src 'none'; media-src 'none';">
<meta http-equiv="Content-Security-Policy" content="connect-src 'self'; font-src 'self'; child-src 'self';">
<meta http-equiv="Content-Security-Policy" content="img-src 'self'; style-src 'self' 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ';">
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ';">
<style id="antiClickjack" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ">/*...*/</style>
<script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ">/*...*/</script>
<script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ">/*...*/</script>
</head>
The 3rd meta tag allows styles (style-src, the one I included in the last
comment) to run with unsafe-inline if the user agent doesn't support nonce,
and the 4th one does the same for scripts (script-src).
So, this page is safe (as long as the user agent support's nonce). What
is the problem here that I'm missing?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#105 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFqDOYOrdzIVkUijOFUZo3wvjW3psP4ks5sfvB6gaJpZM4JxUmO>
.
|
|
I didn't look at your page, I only looked at what you posted in the thread. I'll take a look at it, but I suspect what's happening is that it's only seeing either the first or last entry. |
|
3.3. HTML meta
<https://www.w3.org/TR/html5/document-metadata.html#the-meta-element>
Element <https://www.w3.org/TR/CSP2/#delivery-html-meta-element>
The server MAY supply policy via one or more HTML meta
<https://www.w3.org/TR/html5/document-metadata.html#the-meta-element> elements
with http-equiv
<https://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv>
attributes
that are an ASCII case-insensitive match
<https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive> for
the string "Content-Security-Policy".
https://www.w3.org/TR/CSP2/#content-security-policy-header-field
Seems fine from my read of the above spec.
…On Sep 6, 2017 9:31 PM, "floatingatoll" ***@***.***> wrote:
I wasn’t aware the CSP spec permitted four separate instances of the CSP
header. Is this a normal thing that works in HTTP Responses, unique to
<meta> tags, or actually not permitted?
On Wed, Sep 6, 2017 at 12:20 Travis Spencer ***@***.***>
wrote:
> are we looking at the same page or am I just daft? (I may well be) At
that
> URL, I see this markup:
>
> <head>
>
> <meta http-equiv="Content-Security-Policy" content="object-src 'none';
media-src 'none';">
> <meta http-equiv="Content-Security-Policy" content="connect-src 'self';
font-src 'self'; child-src 'self';">
> <meta http-equiv="Content-Security-Policy" content="img-src 'self';
style-src 'self' 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
eQ';">
> <meta http-equiv="Content-Security-Policy" content="script-src 'self'
'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ';">
>
> <style id="antiClickjack" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
eQ">/*...*/</style>
>
> <script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
eQ">/*...*/</script>
> <script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
eQ">/*...*/</script>
>
> </head>
>
> The 3rd meta tag allows styles (style-src, the one I included in the last
> comment) to run with unsafe-inline if the user agent doesn't support
nonce,
> and the 4th one does the same for scripts (script-src).
>
> So, this page is safe (as long as the user agent support's nonce). What
> is the problem here that I'm missing?
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#105#
issuecomment-327586871>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/
AAFqDOYOrdzIVkUijOFUZo3wvjW3psP4ks5sfvB6gaJpZM4JxUmO>
> .
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#105 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACYio8Jp4BJQj3PFnJ12NrHOXQgKV4N2ks5sfvMrgaJpZM4JxUmO>
.
|
|
Excellent. Thanks for the clear links!
On Wed, Sep 6, 2017 at 12:44 PM, Travis Spencer <notifications@github.com>
wrote:
… 3.3. HTML meta
<https://www.w3.org/TR/html5/document-metadata.html#the-meta-element>
Element <https://www.w3.org/TR/CSP2/#delivery-html-meta-element>
The server MAY supply policy via one or more HTML meta
<https://www.w3.org/TR/html5/document-metadata.html#the-meta-element>
elements
with http-equiv
<https://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv>
attributes
that are an ASCII case-insensitive match
<https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive>
for
the string "Content-Security-Policy".
https://www.w3.org/TR/CSP2/#content-security-policy-header-field
Seems fine from my read of the above spec.
On Sep 6, 2017 9:31 PM, "floatingatoll" ***@***.***> wrote:
> I wasn’t aware the CSP spec permitted four separate instances of the CSP
> header. Is this a normal thing that works in HTTP Responses, unique to
> <meta> tags, or actually not permitted?
>
> On Wed, Sep 6, 2017 at 12:20 Travis Spencer ***@***.***>
> wrote:
>
> > are we looking at the same page or am I just daft? (I may well be) At
> that
> > URL, I see this markup:
> >
> > <head>
> >
> > <meta http-equiv="Content-Security-Policy" content="object-src 'none';
> media-src 'none';">
> > <meta http-equiv="Content-Security-Policy" content="connect-src
'self';
> font-src 'self'; child-src 'self';">
> > <meta http-equiv="Content-Security-Policy" content="img-src 'self';
> style-src 'self' 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
> eQ';">
> > <meta http-equiv="Content-Security-Policy" content="script-src 'self'
> 'unsafe-inline' 'nonce-gAeQO8jI4VJCsrsXkcUVRCzQjiihKteQ';">
> >
> > <style id="antiClickjack" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
> eQ">/*...*/</style>
> >
> > <script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
> eQ">/*...*/</script>
> > <script type="text/javascript" nonce="gAeQO8jI4VJCsrsXkcUVRCzQjiihKt
> eQ">/*...*/</script>
> >
> > </head>
> >
> > The 3rd meta tag allows styles (style-src, the one I included in the
last
> > comment) to run with unsafe-inline if the user agent doesn't support
> nonce,
> > and the 4th one does the same for scripts (script-src).
> >
> > So, this page is safe (as long as the user agent support's nonce). What
> > is the problem here that I'm missing?
> >
> > —
> > You are receiving this because you are subscribed to this thread.
> > Reply to this email directly, view it on GitHub
> > <#105#
> issuecomment-327586871>,
> > or mute the thread
> > <https://github.com/notifications/unsubscribe-auth/
> AAFqDOYOrdzIVkUijOFUZo3wvjW3psP4ks5sfvB6gaJpZM4JxUmO>
> > .
> >
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#105#
issuecomment-327589647>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/
ACYio8Jp4BJQj3PFnJ12NrHOXQgKV4N2ks5sfvMrgaJpZM4JxUmO>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#105 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFqDC6ON970UtR-tA9tL1m3xvwPob9tks5sfvYZgaJpZM4JxUmO>
.
|
|
Okay, so there is a bug where it's not combining them together. I'll work on fixing that. That said, the Observatory has historically only looked at the page's contents when it returns a 200 code, not 400 or 404. The reason for this is that most sites (not yours, in this case) have really bad error pages, and I didn't want to tell them that they were safe due to not having scripts (such as with SRI) on their error pages, when their normal pages did have issues. I can possibly fix this, but it will probably take me a while. |
|
Could I ask you to open another bug for this? In the vast majority of situations, this code as it is should work for websites. Most sites only use a singular meta http-equiv and don't have error pages for /. :) |
|
Created two new tickets for ya, @april . If there's anything I can do to help besides testing and verification, please let me know. |
Having the CSP-Header in a HTML-Meta tag seems not to be recognized, although it is stated here as an implemenation example: https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
See here: https://observatory.mozilla.org/analyze.html?host=dotbox.org
The text was updated successfully, but these errors were encountered: