Overly broad CSP and CORS configuration

[pasdengl]

In its default configuration Fider uses overly broad Content-Security-Policy (CSP) and Cross-Origin-Resource-Sharing (CORS) configurations.

CSP header

I noticed the following exceptions in the Content-Security-Policy header, namely:

• https://fonts.googleapis.com
• https://*.paddle.com
• https://fonts.gstatic.com

The file engine.go specifies the affected CSP directives:

var (
	cspBase    = "base-uri 'self'"
	cspDefault = "default-src 'self'"
	cspStyle   = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.paddle.com %[2]s"
	cspScript  = "script-src 'self' 'nonce-%[1]s' https://www.google-analytics.com https://*.paddle.com %[2]s"
	cspFont    = "font-src 'self' https://fonts.gstatic.com data: %[2]s"
	cspImage   = "img-src 'self' https: data: %[2]s"
	cspObject  = "object-src 'none'"
	cspFrame   = "frame-src 'self' https://*.paddle.com"
	cspMedia   = "media-src 'none'"
	cspConnect = "connect-src 'self' https://www.google-analytics.com %[2]s"

	//CspPolicyTemplate is the template used to generate the policy
	CspPolicyTemplate = fmt.Sprintf("%s; %s; %s; %s; %s; %s; %s; %s; %s; %s", cspBase, cspDefault, cspStyle, cspScript, cspImage, cspFont, cspObject, cspMedia, cspConnect, cspFrame)
)

In a basic setup without external integrations such as Google Analytics and Paddle I do not see any use in allowing those domains.
Additionally, the Google Fonts do not seem to be necessary, as I prohibit cross-origin requests via CORS on my instance of Fider completely and I have no font issues.

I would recommend setting those directives only when the administrator enables the respective features.

This probably also renders the dependency of fetching Google Fonts obsolete:

<link rel="preconnect" href="https://fonts.googleapis.com" />
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />

Reference:

• https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

CORS header

The file cors.go defines the Access-Control-Allow-Origin to allow all cross-origins (*). This allows any domain to perform cross-site requests and read the respective reponses.

fider/app/middlewares/cors.go

Line 11 in a357ddd

c.Response.Header().Set("Access-Control-Allow-Origin", "*")

To set this securely, the environment variable BASE_URL could provide the value.

Reference:

• https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#access-control-allow-origin

[mattwoberts]

Thanks @pasdengl - some good points.

In a basic setup without external integrations such as Google Analytics and Paddle I do not see any use in allowing those domains.
Additionally, the Google Fonts do not seem to be necessary, as I prohibit cross-origin requests via CORS on my instance of Fider completely and I have no font issues.

I agree about paddle, and I think it would make sense to exclude that form the CSP for self hosted instances
For the Google fonts, they are required to serve up the google font we're using - although the fallback font is also pretty good.

Re: The CORS header, we need this for the public API

[pasdengl]

I agree about paddle, and I think it would make sense to exclude that form the CSP for self hosted instances

You could disable this by default and enable it only when a specific environment variable is set (like ENABLE_PADDLE)

For the Google fonts, they are required to serve up the google font we're using - although the fallback font is also pretty good.

Is it possible to serve those from the running instance or does Google require loading its font externally? Maybe the fallback font should be the default and the Google font should be optional?

Re: The CORS header, we need this for the public API

From a security perspective it would make sense to host the public API on a separate subdomain (like api.fider.io) and allow cross-origin requests there. For the main frontend the CORS configuration should be as restrictive as possible, following a deny-by-default configuration.

[mattwoberts]

From a security perspective it would make sense to host the public API on a separate subdomain (like api.fider.io) and allow cross-origin requests there. For the main frontend the CORS configuration should be as restrictive as possible, following a deny-by-default configuration.

That's something the hosted cloud version could do, but I think I'd worry that for a self-host scenario using e.g. docker it would add complexity to configure things?