Harden GUI by adding a CSP, XSS protection and referrer hiding #2212
Conversation
| @@ -204,5 +204,10 @@ public function beforeExecuteRoute($dispatcher) | |||
|
|
|||
| // append ACL object to view | |||
| $this->view->acl = new \OPNsense\Core\ACL(); | |||
| $this->response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';"); | |||
There was a problem hiding this comment.
will only allow resources directly from the firewall and additional embedded in the HTML, style attributes and JavaScript eval.
| @@ -204,5 +204,10 @@ public function beforeExecuteRoute($dispatcher) | |||
|
|
|||
| // append ACL object to view | |||
| $this->view->acl = new \OPNsense\Core\ACL(); | |||
| $this->response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';"); | |||
| $this->response->setHeader('X-Frame-Options', "SAMEORIGIN"); | |||
There was a problem hiding this comment.
Allow framing only in the context of the firewall itself (no framing by another website) - avoid clickjacking
There was a problem hiding this comment.
@fabianfrz this one is already in there https://github.com/opnsense/core/blob/18.1.2/src/opnsense/mvc/app/controllers/OPNsense/Base/IndexController.php#L77 , we could move it to Base and make sure the classes deriving from index move to base. What do you think?
There was a problem hiding this comment.
So it should be removed from the index controller since it inherits controllerbase and security should be enforced on all controllers - even those which are not IndexControllers.
Short note: There is currently no controller, which is based on ControllerBase.
| $this->response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';"); | ||
| $this->response->setHeader('X-Frame-Options', "SAMEORIGIN"); | ||
| $this->response->setHeader('X-Content-Type-Options', "nosniff"); | ||
| $this->response->setHeader('X-XSS-Protection', "1; mode=block"); |
There was a problem hiding this comment.
block entire page if the browser detects XSS
| $this->response->setHeader('X-Frame-Options', "SAMEORIGIN"); | ||
| $this->response->setHeader('X-Content-Type-Options', "nosniff"); | ||
| $this->response->setHeader('X-XSS-Protection', "1; mode=block"); | ||
| $this->response->setHeader('Referrer-Policy', "same-origin"); |
There was a problem hiding this comment.
do not show the referrer to other pages if the user clicks a link in the GUI.
|
@fabianfrz we should indeed be careful with this, let me review and test this as soon as I can find some time for it. |
|
You can test the csp using report-uri.com as that will let you know of any issues
…________________________________
From: Fabian Franz BSc <notifications@github.com>
Sent: Sunday, February 18, 2018 7:41:30 PM
To: opnsense/core
Cc: Subscribed
Subject: [opnsense/core] Harden GUI Controllers by adding a CSP, XSS protection and referrer hiding (#2212)
this should stay on master for longer time since it may have side effects like blocking resources.
________________________________
You can view, comment on, or merge this pull request online at:
#2212
Commit Summary
* Harden GUI Controllers by adding a CSP, XSS protection and referrer hiding
File Changes
* M src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php<https://github.com/opnsense/core/pull/2212/files#diff-0> (5)
Patch Links:
* https://github.com/opnsense/core/pull/2212.patch
* https://github.com/opnsense/core/pull/2212.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#2212>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADddQmjpKEjtt4M1QYPEQbYXNnCSiFrZks5tWHzqgaJpZM4SJ0NT>.
|
|
looks like it works on static pages as well. |
fabianfrz
changed the title
src/www/head.inc
Outdated
| header('X-Content-Type-Options: nosniff'); | ||
| header('X-XSS-Protection: 1; mode=block'); | ||
| header('Referrer-Policy: same-origin'); | ||
|
|
There was a problem hiding this comment.
probably better to move the headers here https://github.com/opnsense/core/blob/18.1.2/src/www/guiconfig.inc#L38 as the csrf checks are also there.
| */ | ||
| public function beforeExecuteRoute($dispatcher) | ||
| { | ||
| parent::beforeExecuteRoute($dispatcher); |
There was a problem hiding this comment.
Wasn‘t this here before we added the x header below? Should it be deleted?
There was a problem hiding this comment.
@fichtner should be safe to delete, falls back to ControllerBase->beforeExecuteRoute()
|
ping |
|
pong, sorry a bit busy. will pull it in now. |
|
@fabianfrz I'm going to drop the "default-src 'self';" in the security policy for the mvc code, this prevents plugins from using anything like open streetmap, which causes issues on some of our plugins. Not sure if this is the only issue with the more tightened security yet though. We might look into something at a later point to add trusted domains in the controller area, although I'm not sure what the best option is there yet. |
|
Maybe inject or replace the values with properties like the values for the mutable controller. So secure defaults are kept. BTW: Which plugin is using OSM? It should only require image-src to add the domain. |
|
some custom work. adding the desired domains would indeed be better, but this needs a bit of work for a clear hook. |
|
I dont think so. Adding a property $csp-image-source to the controller base should work and the defaults are the values of my pull request. Any controller that inherits the base controller, can override the default just by adding it in the class. In that case it would be controller wide which should not be a huge issue because most controllers do have 1-3 actions |
|
@fabianfrz this a8f54d2 should do the trick |
|
Exactly the implementation I had in mind |
this should stay on master for longer time since it may have side effects like blocking resources.