New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add basic csp reporturi page in php #1751

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@juju4
Contributor

juju4 commented Jan 13, 2018

Add a (very) basic reporturi page in php for CSP reporting.
inspired from https://mathiasbynens.be/notes/csp-reports

might be better in separate file/class with a conditional. comments?

@hunner

This is an interesting idea, but it is not common enough practice to be enabled by default I don't think. Putting it in a separate class with relevant parameters would be a good direction.

Should it be a defined resource type so that they can vary based on different sites?

@@ -0,0 +1,37 @@
<?php
// {{ ansible_managed }}

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

Hah.

@hunner

hunner Jan 16, 2018

Member

Hah.

// Note: this script requires PHP ≥ 5.4.
// Specify the email address that receives the reports.
define('EMAIL', 'csp-violations@example.local');

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

This should be templated.

@hunner

hunner Jan 16, 2018

Member

This should be templated.

// Specify the email address that receives the reports.
define('EMAIL', 'csp-violations@example.local');
// Specify the desired email subject for violation reports.
define('SUBJECT', 'CSP violation');

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

This should be templated.

@hunner

hunner Jan 16, 2018

Member

This should be templated.

// Specify the desired email subject for violation reports.
define('SUBJECT', 'CSP violation');
// Specify target log file
define('LOG_FILE', '<%= @docroot %>/csp/log/csp-violations.log');

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

This should be templated.

@hunner

hunner Jan 16, 2018

Member

This should be templated.

);
// Mail the CSP violation report.
//mail(EMAIL, SUBJECT, $data2, 'Content-Type: text/plain;charset=utf-8');

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

Should this be usable? Should it be removed?

@hunner

hunner Jan 16, 2018

Member

Should this be usable? Should it be removed?

@@ -130,4 +130,35 @@
unless $::operatingsystem == 'SLES' { apache::security::rule_link { $activated_rules: } }
file { "${::apache::params::docroot}/csp":

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

I think the $apache::params::docroot can be overridden by the base class so is not a reliable location.

@hunner

hunner Jan 16, 2018

Member

I think the $apache::params::docroot can be overridden by the base class so is not a reliable location.

@@ -130,4 +130,35 @@
unless $::operatingsystem == 'SLES' { apache::security::rule_link { $activated_rules: } }
file { "${::apache::params::docroot}/csp":
ensure => directory,
owner => $::apache::params::user,

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

User and group can also be overridden in the base class.

@hunner

hunner Jan 16, 2018

Member

User and group can also be overridden in the base class.

require => Package['httpd'],
}
file { 'report.php':

This comment has been minimized.

@hunner

hunner Jan 16, 2018

Member

There are probably tons of servers with apache::mod::security without php installed. These files should be optional and disabled by default.

As you mention, this is probably best moved to its own separate class or define.

@hunner

hunner Jan 16, 2018

Member

There are probably tons of servers with apache::mod::security without php installed. These files should be optional and disabled by default.

As you mention, this is probably best moved to its own separate class or define.

@hunner hunner added the feature label Jan 16, 2018

@ekohl

mod_security and CSP are different things. I think this should be solved at the profile level. You may want one CSP page per vhost for example or your application already ships a CSP endpoint and you don't want this. It's business logic and IMHO doesn't belong in puppetlabs-apache.

@hunner hunner closed this Jan 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment