Extend CSP Configuration

[guspower]

What are you building with SQLPage ?

A blog

What is your problem ? A description of the problem, not the solution you are proposing.

The Mozilla observatory marks the site down on the CSP configuration. This configuration has not been modified from the default values.

If I set the configuration value CONTENT_SECURITY_POLICY then I lose the nonce functionality as this only kicks in if there is no explicit configuration specified.

I also tried to add multiple values to the same header:

SELECT 'http_header'          AS component,
       'object-src ''none'';' AS "Content-Security-Policy";

SELECT 'http_header'        AS component,
       'base-uri ''none'';' AS "Content-Security-Policy";

but alas it seems the last value wins (they are not combined or multiples sent to the client).

What are you currently doing ? Since your solution is not implemented in SQLPage currently, what are you doing instead ?

I could workaround the limitation as described in an earlier issue. However I would like to extend SQLpage to handle this circumstance.

Describe the solution you'd like

The CSP headers could be configured as per the strict definition without workaround:

Content-Security-Policy:
  frame-ancestors 'none';
  upgrade-insecure-requests;
  script-src 'nonce-{RANDOM}';
  object-src 'none';
  base-uri 'none';

Describe alternatives you've considered

It seems like there could be a few ways to handle this:

1. Enhance the CSP configuration parsing to cater for nonce
2. Go long on CSP configuration and allow each element to be optionally configured ('script-src', 'object-src' etc.)
3. Create a CSP component
4. Make the nonce value available in the SQL context
5. Allow the same header to be written multiple times
6. Combine / append header values with the same name

Additional context

It would also be great to be able to test a CSP policy change, but looking at it it does seem pretty wild (report only with reporting endpoints etc.). There is also the situation where certain pages need a custom CSP configuration because they actually contain an embed.

If you think this is worthwhile and have a preferred route, I would be happy to create a patch for consideration.

[guspower]

Also CSP is pretty huge - the rust-lang CSP library shows 29 different directives, OWASP also has a decent write-up.

[lovasoa]

Hi and thank you for the writeup.

Restricting the CSP too much by default would make it impractical in many use cases. I think the best option is the first one you described.

The content_security_policy configuration option should always be used, and have a default value of script-src 'self' 'nonce-$nonce', and $nonce should be replaced with the value of the nonce. This way it can be customized without loosing the nonce functionality.

Could you make a pull request ?

[lovasoa]

Closed by #911