adhocracy4 icon indicating copy to clipboard operation
adhocracy4 copied to clipboard

Published 20 hours ago verified publisher icon liqd

Define Content Security Policy

Open xi opened this issue 8 years ago • 9 comments

A Content Security Policy (CSP) tells browsers to restrict some features. For example, it can be used to disallow inline JavaScript. django-csp provides django integration.

It would be nice if we could define a CSP in order to enhance security. The biggest step required for this is to remove all inline JavaScript. In opin, most of the work has already been done in https://github.com/liqd/a4-opin/pull/775. Similar changes should also be implemented here.

xi avatar May 03 '17 09:05 xi

So what CSP do we want? Please add to this list of requirements:

  • I would propose to use default-src 'self' as a baseline. We could also do default-src 'none' to be even more strict, but I don't think this is necessary.
  • We often use inline style="background-image: url(…)". There could be ways around this, but maybe it is just ok to allow unsafe-inline styles.
  • Maps need to load their tiles, so we need to add the tileserver to img-src.
  • We allow to include images in rich text fields. So we probably need img-src *. (Need to check CKEditor and Wegtail)
  • django-debug-toolbar loads jquery from http://ajax.googleapis.com and has an inline image. This is only relevant for development, but still we need to think about this.
  • We use webpack with devtool: 'eval'. eval() is forbidden by default. So we need to either switch to a slower mechanism for sourcemaps or have different webpack config for development and production.
  • The frame-ancestors option can be useful to prevent clickjacking, but we need to support embedding.

So here is a full CSP (for production) that you can drop into your base template:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src *">

xi avatar Oct 30 '17 15:10 xi

A note on development setup: There is also the Content-Security-Policy-Report-Only header that reports violations but does not stop them.

xi avatar Oct 30 '17 15:10 xi

Thanks for the issue :+1:

We often use inline style="background-image: url(…)". There could be ways around this, but maybe it is just ok to allow unsafe-inline styles.

Inline styles might get ugly from a security point of view.

mkind avatar Nov 01 '17 12:11 mkind

AFAIK CSP has an option to prevent clickjacking, too. We might also take this into account.

mkind avatar Nov 01 '17 13:11 mkind

AFAIK CSP has an option to prevent clickjacking, too. We might also take this into account.

The trouble is that we explicitly want clickjacking (aka embedding).

xi avatar Nov 01 '17 15:11 xi

not sure where to document meinBerlin specific issues. please move this if it is at the wrong place:

  • in meinBerlin the preview image for upload fields is defined as src="data:image/gif;base64,.. which is not allowed by the current policy, but can be allowed by setting img-src * data:
  • in meinBerlin the bplan api is queried to lookup the coordinates of addresses. to allow access it is required to set connect-src 'self' https://bplan-prod.liqd.net

so the full CSP for meinBerlin would be: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src * data:; connect-src 'self' https://bplan-prod.liqd.net">

kleingeist avatar Nov 08 '17 10:11 kleingeist

I like the idea to have a policy per view. This seems to be quite convenient via the decorators. This allows us to have a maximal restrictive policy.

mkind avatar Dec 04 '17 11:12 mkind

Instead of using unsafe-inline, we should use whitelisting via nonces or hashes. There is a django-csp-nonce app to do so.

mkind avatar Dec 04 '17 11:12 mkind

There is an issue for nonce support in django-csp.

mkind avatar Dec 05 '17 11:12 mkind

moved to story

fuzzylogic2000 avatar Mar 07 '23 11:03 fuzzylogic2000