website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon phpmyadmin

CSP improvements

Open nijel opened this issue 9 years ago • 1 comments

  1. CSP Improvements (for WebSite)

https://www.phpmyadmin.net/ return the following CSP header: content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/; img-src 'self' https://www.google-analytics.com/ https://www.paypalobjects.com/; style-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'

2.1) Change Google Analytics loading

The usage of current Google Analytics code require unsafe-inline in script-src

fix: (by applying any of the below, the unsafe-inline can be removed from script-src) move the inline code into external file https://stackoverflow.com/questions/30939809/google-analytics-js-and-content-security-policy or generate a hash for inline script: https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

2.2) Dynamic CSP usage

The https://www.paypalobjects.com/ in img-src is needed only in some pages, such as:

    https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/donate.html#L31
    https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/sponsors.html#L126

2.3) More Strict CSP Policy

The usage of action attribute is used in the below pages (to https://www.paypal.com/) https://github.com/phpmyadmin/website/blob/92720e9120eee45b6872b535bb0c85c342e7772c/pmaweb/templates/donate.html#L22 https://github.com/phpmyadmin/website/blob/0da92e1c0fb1f00cfe9edad922b52dc22573fb74/pmaweb/templates/sponsors.html#L113 thus use form-action directive to white-list action locations https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives#form-action

  1. Missing CSP Policy

visiting: https://www.phpmyadmin.net/fff/ result:

no CSP Policy sent, also the page load javascript from https://linkhelp.clients.google.com/ (need to add to script-src directive) https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/404.html#L23

nijel avatar Sep 16 '16 13:09 nijel

  1. CSP Violations Issues in WebSite

On Chrome:

Visiting: https://www.phpmyadmin.net/downloads/

Result in Console:

Refused to load the image 'https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-2718724-14&cid=231898991.1468598139&jid=2067451453&_v=j44&z=2118007049' because it violates the following Content Security Policy directive: "img-src 'self' https://www.google-analytics.com/ https://www.paypalobjects.com/".

fix: add https://stats.g.doubleclick.net to img-src directive.

nijel avatar Sep 16 '16 13:09 nijel