New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure Content Security Policy for Action Cable #31309

Closed
olimart opened this Issue Dec 1, 2017 · 12 comments

Comments

Projects
None yet
7 participants
@olimart
Contributor

olimart commented Dec 1, 2017

Steps to reproduce

Generate a new app (5.2.0.beta2) with Action Cable.

Expected behavior

when generating a fresh application the content security policy should add directive to connect_src
to work with Action Cable.

Should skip if action_cable is ignored when generating a new app.

Actual behavior

Content security policy has no instructions for connect-src (which is fine as the default setting), however there should be instructions to turn it on for Action Cable.

For instance I added the following in config/initializers/content_security_policy.rb:

p.connect_src :self

but it does not work.

In development.rb I have

config.action_cable.url = 'ws://localhost:5000/cable'
config.action_cable.allowed_request_origins = [ 'http://localhost:5000', 'http://127.0.0.1:5000' ]

System configuration

Rails version: 5.2.0.beta2

Ruby version: 3.3.1

@olimart

This comment has been minimized.

Show comment
Hide comment
@olimart

olimart Dec 1, 2017

Contributor

Hi @pixeltrix I see that you worked on the Content security policy, maybe you can shed some light. Thanks.

Contributor

olimart commented Dec 1, 2017

Hi @pixeltrix I see that you worked on the Content security policy, maybe you can shed some light. Thanks.

@jeremy

This comment has been minimized.

Show comment
Hide comment
@jeremy
Member

jeremy commented Dec 1, 2017

@olimart

This comment has been minimized.

Show comment
Hide comment
@olimart

olimart Dec 1, 2017

Contributor

w3c/webappsec-csp#7 (comment)

As an example, it would be useful to serve a page at http://localhost:3000/ using connect-src 'self', and have this behave as if the CSP (under current rules) had specified connect-src 'self' ws://localhost:3000.

If the aforementioned configuration is not possible not sure how people use Action Cable with a security policy in development.

Thanks @jeremy for the link. The issue is quite old so I doubt this will change anytime soon.

Contributor

olimart commented Dec 1, 2017

w3c/webappsec-csp#7 (comment)

As an example, it would be useful to serve a page at http://localhost:3000/ using connect-src 'self', and have this behave as if the CSP (under current rules) had specified connect-src 'self' ws://localhost:3000.

If the aforementioned configuration is not possible not sure how people use Action Cable with a security policy in development.

Thanks @jeremy for the link. The issue is quite old so I doubt this will change anytime soon.

@guilleiguaran

This comment has been minimized.

Show comment
Hide comment
@guilleiguaran

guilleiguaran Dec 2, 2017

Member

just to confirm, so we need to have p.connect_src :self, :https, 'ws://localhost:3000' for ActionCable in development?

Member

guilleiguaran commented Dec 2, 2017

just to confirm, so we need to have p.connect_src :self, :https, 'ws://localhost:3000' for ActionCable in development?

@olimart

This comment has been minimized.

Show comment
Hide comment
@olimart

olimart Dec 2, 2017

Contributor

@guilleiguaran getting EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https:". so no clue about what is expected at all

Contributor

olimart commented Dec 2, 2017

@guilleiguaran getting EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https:". so no clue about what is expected at all

@pixeltrix

This comment has been minimized.

Show comment
Hide comment
@pixeltrix

pixeltrix Dec 2, 2017

Member

@olimart that error suggests that there's an eval somewhere in the JavaScript code - was there a line specified so we can tell whether it's your code or Action Cable's JavaScript code.

Member

pixeltrix commented Dec 2, 2017

@olimart that error suggests that there's an eval somewhere in the JavaScript code - was there a line specified so we can tell whether it's your code or Action Cable's JavaScript code.

@guilleiguaran guilleiguaran referenced this issue Dec 2, 2017

Closed

Webpacker and CSP #1057

6 of 6 tasks complete
@olimart

This comment has been minimized.

Show comment
Hide comment
@olimart

olimart Dec 2, 2017

Contributor

@pixeltrix Turned out that the eval issue comes from rack-mini-profiler gem loading jQuery externally so never mind.

@guilleiguaran is right, this seems to work though when you set p.connect_src :self, :https, 'ws://localhost:3000' in content security policy.

At then end I guess it'a matter of documenting this in ActionCable docs. Will open a PR separately. Thank you all.

Contributor

olimart commented Dec 2, 2017

@pixeltrix Turned out that the eval issue comes from rack-mini-profiler gem loading jQuery externally so never mind.

@guilleiguaran is right, this seems to work though when you set p.connect_src :self, :https, 'ws://localhost:3000' in content security policy.

At then end I guess it'a matter of documenting this in ActionCable docs. Will open a PR separately. Thank you all.

@kieraneglin

This comment has been minimized.

Show comment
Hide comment
@kieraneglin

kieraneglin Dec 19, 2017

Where does this leave system tests? For use with Webpacker (Vue) and ActionCable, my CSP includes this: p.connect_src :self, :https, 'http://localhost:3035', 'ws://localhost:3035', 'ws://localhost:3000'

However, this doesn't work in the test environment, since the port changes each time. As a workaround, I've included this:

if Rails.env.test?
  p.connect_src :self, '*'
else
  p.connect_src :self, :https, 'http://localhost:3035', 'ws://localhost:3035', 'ws://localhost:3000'
end

Is this a Rails CSP concern (is this even a problem?), or should I move this to StackOverflow

kieraneglin commented Dec 19, 2017

Where does this leave system tests? For use with Webpacker (Vue) and ActionCable, my CSP includes this: p.connect_src :self, :https, 'http://localhost:3035', 'ws://localhost:3035', 'ws://localhost:3000'

However, this doesn't work in the test environment, since the port changes each time. As a workaround, I've included this:

if Rails.env.test?
  p.connect_src :self, '*'
else
  p.connect_src :self, :https, 'http://localhost:3035', 'ws://localhost:3035', 'ws://localhost:3000'
end

Is this a Rails CSP concern (is this even a problem?), or should I move this to StackOverflow

@guilleiguaran

This comment has been minimized.

Show comment
Hide comment
@guilleiguaran

guilleiguaran Dec 20, 2017

Member

@kieraneglin what port change during tests? Action Cable one?

Member

guilleiguaran commented Dec 20, 2017

@kieraneglin what port change during tests? Action Cable one?

@kieraneglin

This comment has been minimized.

Show comment
Hide comment
@kieraneglin

kieraneglin Dec 20, 2017

@guilleiguaran yes. This was confirmed by accessing the browser during a system test and checking the value of window.App.cable. The cable port matched the browser port.

Without my workaround above, the console would repeatedly error that it could not connect to the WS.

kieraneglin commented Dec 20, 2017

@guilleiguaran yes. This was confirmed by accessing the browser during a system test and checking the value of window.App.cable. The cable port matched the browser port.

Without my workaround above, the console would repeatedly error that it could not connect to the WS.

@pedromartinez

This comment has been minimized.

Show comment
Hide comment
@pedromartinez

pedromartinez Jan 2, 2018

Also having this issue. Need to somehow whitelist all ports on localhost.

pedromartinez commented Jan 2, 2018

Also having this issue. Need to somehow whitelist all ports on localhost.

@deanius

This comment has been minimized.

Show comment
Hide comment
@deanius

deanius Aug 9, 2018

I also would like to whitelist all ports on localhost.

deanius commented Aug 9, 2018

I also would like to whitelist all ports on localhost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment