-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Content Security Policy (CSP) #1190
Comments
I already had a try at it some time ago, but it introduced errors at that time so we rolled it back: 4bdd947 😓 |
I tried https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/ and it is really interesting to see how the CSP evolves as you record a session on a PeerTube instance. Kudos to that neat extension. Unsurprisingly, What is interesting is the What do you think about the following? contentSecurityPolicy: {
directives: {
defaultSrc: ['*'],
mediaSrc: ["'self'"],
fontSrc: ["'self' data:"],
imgSrc: ["'self' data:"],
scriptSrc: ["'self' 'unsafe-inline'"],
styleSrc: ["'self' 'unsafe-inline'"]
}
} |
To be honest I have no idea how CSP works, other than the article I linked above. But it's probably better to have a basic policy than having nothing. And you should also be able to limit |
// Security middleware
app.use(helmet({
frameguard: {
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
},
hsts: false,
contentSecurityPolicy: {
directives: {
defaultSrc: ['*'], // by default, not specifying default-src = '*'
mediaSrc: ["'self'"],
fontSrc: ["'self' data:"],
imgSrc: ["'self' data:"],
scriptSrc: ["'self' 'unsafe-inline'"],
styleSrc: ["'self' 'unsafe-inline'"],
objectSrc: ["'none'"],
pluginTypes: ["'none'"],
manifestSrc: ["'self'"],
frameSrc: ["'none'"], // instead of deprecated child-src
workerSrc: ["'self'"], // instead of deprecated child-src
upgradeInsecureRequests: true
},
browserSniff: false // assumes a modern browser, but allows CDN in front
},
referrerPolicy: {
policy: 'strict-origin-when-cross-origin'
}
})) That should be a correct configuration of the CSP (and bonus referrerPolicy to test too) - but would need to be tested on a live instance first. |
How about merging this for the next release with |
I don't think testing through releases is a good process… and we've frozen merges (except bugfixes) until the next release anyway. |
I could test it on my instance, but I'm not sure how to compile Peertube for development (without breaking anything). And it would still need some way to log the violations on the server. |
Please don't test it on your instance, that's too hazardous, especially with an instance that big. I'll check how to create a reporting endpoint. |
It should be fine to test with |
You could use https://gist.github.com/rigelk/54b798bf8098fde431330b3868db133f with https://github.com/mozilla/csp-logger in standalone mode. Since we're only modifying |
@rigelk you don't need a reporting endpoint. using chrome/chromium, you also will get nice error messages. |
@Nutomic by debug mode, your mean developing it locally on your computer with |
@rigelk ah okay, I was only checking localhost:3000. I have it configured now, and it already reported an error:
|
Ah right, Angular uses eval, so |
Okay that seems to fix it, no more errors so far after clicking around a bit. I hope there's some way to get rid of the eval usage. Here's a relevant issue, apparently the eval is solved already in Angular: angular/angular#19142 |
As said in the last issue you linked, using AOT and removing |
Meanwhile, I have tested live the CSP configuration I previously suggested and completed it to achieve the following: contentSecurityPolicy: {
directives: {
defaultSrc: ["'none'"], // by default, not specifying default-src = '*'
connectSrc: ['*'],
mediaSrc: ["'self'"],
fontSrc: ["'self' data:"],
imgSrc: ["'self' data:"],
scriptSrc: ["'self' 'unsafe-inline' 'unsafe-eval'"],
styleSrc: ["'self' 'unsafe-inline'"],
objectSrc: ["'none'"],
formAction: ["'self'"],
frameAncestors: ["'*'"],
baseUri: ["'none'"],
pluginTypes: ["'none'"],
manifestSrc: ["'self'"],
frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
workerSrc: ["'self'"], // instead of deprecated child-src
upgradeInsecureRequests: true
},
browserSniff: false // assumes a modern browser, but allows CDN in front
}, Hopefully we're close to a good first implementation :) |
@rigelk Can you paste the raw header please? |
@Nutomic |
Edit: I guess we also need to set
Edit2: Weird, it's still reporting the same error with
And another violation for embeds:
|
Great! Thanks for the feedback @Nutomic - the Let me try to improve that tomorrow. |
With the fixes suggested by @Nutomic, I realised we're using frame-ancestors: Right now we're using EDIT: it's a bit complicated, so I suggest we make a first version without |
Finally I managed to replicate it 🙂 |
I also managed to remove |
This would improve the security, and prevent XSS attacks. Here's a good overview:
https://www.html5rocks.com/en/tutorials/security/content-security-policy/
Also check out these links:
https://infosec.mozilla.org/guidelines/web_security#content-security-policy
https://observatory.mozilla.org/analyze.html?host=peertube.social
The text was updated successfully, but these errors were encountered: