Add CSP headers #5014

TAINCER · 2023-03-21T09:58:05Z

No description provided.

lippserd

In addition to the requested changes please:

Remove all whitespace changes that are not related to the code you introduce.
Regenerate the nonce if it's not an AJAX request.

application/forms/Config/General/ApplicationConfigForm.php

library/Icinga/Util/CspHeader.php

lippserd · 2023-03-28T13:03:34Z

library/Icinga/Web/Response.php

+        $useCsp = (bool) Config::app()->get('security', 'use_csp', false);
+
+        if ($useCsp) {
+            $this->setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubdomains; preload', true);


Why all the other headers?

I've used these headers. Since most of these are for blocking XSS, I assumed that we would want all of them. These of course are more restrictive, I can also only include Content-Security-Policy, if we don't want the rest.

Since those headers are easily configureable via the web server, I would not add them here.

Could this be clarified in the docs? Possibly linking to it in the description when setting up CSP? Since this seems to be best practice.

library/Icinga/Util/CspHeader.php

TAINCER · 2023-03-28T14:29:30Z

Regenerate the nonce if it's not an AJAX request.

I did this at first, but when column page contents are being loaded, they are not considered a XML Request $this->getRequest()->isXmlHttpRequest(); (called from Response.php). That's the main reason why I ended up persisting the nonce throughout the session.

lippserd · 2023-03-28T14:59:19Z

Regenerate the nonce if it's not an AJAX request.

I did this at first, but when column page contents are being loaded, they are not considered a XML Request $this->getRequest()->isXmlHttpRequest(); (called from Response.php). That's the main reason why I ended up persisting the nonce throughout the session.

How is that possible? Do you have proof? Everything would fall apart, if they weren't AJAX requests.

TAINCER · 2023-03-28T15:28:35Z

I just rechecked. Now it always returns true with XHR Requests, my bad. I think I first tested this when some Javascript was still blocked by CSP.

library/Icinga/Web/Response.php

library/Icinga/Util/CspHeader.php

library/Icinga/Web/Response.php

application/forms/Config/General/ApplicationConfigForm.php

library/Icinga/Util/Csp.php

TAINCER self-assigned this Mar 21, 2023

cla-bot bot added the cla/signed label Mar 21, 2023

TAINCER changed the base branch from master to fix-csp-errors March 21, 2023 09:58

TAINCER force-pushed the AddCspHeaders branch 2 times, most recently from e2c4535 to 868d513 Compare March 22, 2023 13:04

TAINCER marked this pull request as ready for review March 23, 2023 09:35

TAINCER requested a review from lippserd March 23, 2023 09:35

TAINCER changed the base branch from fix-csp-errors to master March 23, 2023 09:38

TAINCER force-pushed the AddCspHeaders branch 5 times, most recently from 613b971 to bfcb294 Compare March 23, 2023 10:05

TAINCER mentioned this pull request Mar 23, 2023

Use nonce for inline CSS with CSP header Icinga/icingadb-web#725

Closed

lippserd requested changes Mar 28, 2023

View reviewed changes

TAINCER force-pushed the AddCspHeaders branch from bfcb294 to b2ae0a7 Compare March 28, 2023 14:21

TAINCER force-pushed the AddCspHeaders branch from 376ebd9 to dcf1856 Compare March 28, 2023 14:38

TAINCER mentioned this pull request Mar 28, 2023

Fix CSP Errors #5009

Closed

TAINCER force-pushed the AddCspHeaders branch 2 times, most recently from b8a21cc to 154d14b Compare March 29, 2023 08:59

TAINCER requested a review from lippserd March 29, 2023 09:01

TAINCER force-pushed the AddCspHeaders branch from 154d14b to 2e34a11 Compare March 29, 2023 15:05

lippserd requested changes Mar 30, 2023

View reviewed changes

library/Icinga/Web/Response.php Outdated Show resolved Hide resolved

library/Icinga/Util/CspHeader.php Outdated Show resolved Hide resolved

library/Icinga/Web/Response.php Outdated Show resolved Hide resolved

TAINCER force-pushed the AddCspHeaders branch from 36716f4 to 8eb03b4 Compare March 30, 2023 14:09

TAINCER requested a review from lippserd March 30, 2023 14:09

TAINCER force-pushed the AddCspHeaders branch from 8eb03b4 to 8ac1ec9 Compare March 30, 2023 14:34

lippserd requested changes Mar 30, 2023

View reviewed changes

TAINCER force-pushed the AddCspHeaders branch from 8ac1ec9 to b7e044b Compare March 30, 2023 15:20

ApplicationConfigForm: Add security_use_csp

6f29a52

TAINCER force-pushed the AddCspHeaders branch from b7e044b to 5b7a47b Compare March 30, 2023 15:21

TAINCER requested a review from lippserd March 30, 2023 15:21

TAINCER force-pushed the AddCspHeaders branch from 5b7a47b to 74513f3 Compare March 30, 2023 15:22

Timm Ortloff added 2 commits March 30, 2023 17:25

Add Csp

481393e

Response: Add csp headers with nonce

3554147

TAINCER force-pushed the AddCspHeaders branch from 74513f3 to 3554147 Compare March 30, 2023 15:25

TAINCER requested a review from nilmerg March 31, 2023 07:50

nilmerg unassigned TAINCER Aug 28, 2023

nilmerg removed request for lippserd and nilmerg August 28, 2023 15:08

nilmerg closed this Aug 28, 2023

nilmerg deleted the AddCspHeaders branch August 28, 2023 15:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CSP headers #5014

Add CSP headers #5014

TAINCER commented Mar 21, 2023

lippserd left a comment

lippserd Mar 28, 2023

TAINCER Mar 28, 2023

lippserd Mar 28, 2023

TAINCER Mar 28, 2023

TAINCER commented Mar 28, 2023

lippserd commented Mar 28, 2023

TAINCER commented Mar 28, 2023

Add CSP headers #5014

Add CSP headers #5014

Conversation

TAINCER commented Mar 21, 2023

lippserd left a comment

Choose a reason for hiding this comment

lippserd Mar 28, 2023

Choose a reason for hiding this comment

TAINCER Mar 28, 2023

Choose a reason for hiding this comment

lippserd Mar 28, 2023

Choose a reason for hiding this comment

TAINCER Mar 28, 2023

Choose a reason for hiding this comment

TAINCER commented Mar 28, 2023

lippserd commented Mar 28, 2023

TAINCER commented Mar 28, 2023