New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial draft of headers #483
base: master
Are you sure you want to change the base?
Conversation
Includes settings for cookies fixes #179
@lansuite/lansuite-developers : It would be good you give the proposal a try. |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
(removing from milestone, as not critical and no feedback received so far) |
I am planning to review, check and test this one soon. |
I think some additional work needs to be done on this, as current values prevent external inclusions that would be needed for gmaps, analytics and I think also discord. |
I am sure there is a right set of attributes to allow / whitelist external includes. Let me check a bit about this.
I may not understand how EDIT: I got the reference with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a deeper look and this might need a bit of more work. See my code comments.
@@ -9,7 +9,7 @@ function imageAuthCode($width, $height) { | |||
$auth_code = md5($auth_code); | |||
$auth_code = substr($auth_code, 0, 5); | |||
$auth_code = strtoupper($auth_code); | |||
setcookie('image_auth_code', md5($auth_code), time()+60*60 , '/'); | |||
setcookie('image_auth_code', md5($auth_code), time()+60*60 , '/',"",$_SERVER['HTTPS'] == 'on' ? true : false, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the HTTPS detection, we should use isSecure()
by HttpFoundation, see https://github.com/symfony/http-foundation/blob/439fdfdd344943254b1ef6278613e79040548045/Request.php#L1043
It respects also proxies and loadbalancers.
I know, this might be tricky in the captcha here, but maybe we should switch to another captcha lib in this phase.
@@ -715,7 +715,7 @@ private function cookie_set() | |||
setcookie( | |||
$this->cookie_name, | |||
$this->cookiedata_pack(), | |||
['expires' => time()+3600*24*$this->cookie_time, 'path' => $this->cookie_path, 'domain' => $this->cookie_domain] | |||
['expires' => time()+3600*24*$this->cookie_time, 'path' => $this->cookie_path, 'domain' => $this->cookie_domain, 'secure' => $_SERVER['HTTPS'] == 'on' ? true : false, 'httponly' => true] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See HTTPS detection comment above - https://github.com/symfony/http-foundation/blob/439fdfdd344943254b1ef6278613e79040548045/Request.php#L1043
header('Referrer-Policy: no-referrer'); | ||
header("'Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self';"); | ||
// Enforce HSTS if browsing via HTTPS | ||
if ($_SERVER['HTTPS']=='on') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment on HTTPS detection - https://github.com/symfony/http-foundation/blob/439fdfdd344943254b1ef6278613e79040548045/Request.php#L1043
@@ -114,6 +114,15 @@ | |||
|
|||
// Set HTTP-Headers | |||
header('Content-Type: text/html; charset=utf-8'); | |||
header('X-Frame-Options: sameorigin'); | |||
header('X-XSS-Protection: 1; mode=block'); | |||
header('X-Content-Type-Options: nosniff'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea of this header is great and I like the idea. However, according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options it says
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed.
I am not aware that we are sending proper mime types in every request. However, I see this as a pre-requisite to make use of this header (and keep this system working).
My suggestion: Commenting this header out for a later use once we got more confidence sending the right mime types
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have more confidence that the right mime types are being sent, as a mapping is done by the webserver anyways based on file extension unless specifically told not do do so by configuration or overridden.
LS does set MIME-type specifically for file downloads e.g. in the gallery (see modules/picgallery/download.php)
So I see no issue with setting that (and also was not able to find one in superficial tests), but fine to leave it out for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
header('X-Content-Type-Options: nosniff'); | |
// TODO: This header is still useful - Once we verified to send the correct MIME types, enable this header | |
// header('X-Content-Type-Options: nosniff'); |
header('X-XSS-Protection: 1; mode=block'); | ||
header('X-Content-Type-Options: nosniff'); | ||
header('Referrer-Policy: no-referrer'); | ||
header("'Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self';"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be tricky with the external libraries we include. We may need to specify domains on this one, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#example_3
I am not sure if this works.
What do you think about starting learn and only going with default-src 'self'
at first?
That is a yes if you meant the response object and the related options / functions to manipulate headers in the response I'm in doubt if that is an easy implementation given the output buffer management done via LS and Smarty, so we may be better to use native functions or just a adequate wrapper for our management for now. |
Yes, I mean using the
Oh, we should use the lib to send the respective response headers. The challenge here: We don't use the response object at all right now.
I am in line with you. My suggestion: Merging these headers once we clarified the details. Migrating to the response object at some later point in time. This might be a bigger change. |
Co-authored-by: Andy Grunwald <andygrunwald@gmail.com>
Co-authored-by: Andy Grunwald <andygrunwald@gmail.com>
Actually...
|
Quality Gate passedIssues Measures |
@M4LuZ Your suggestion sounds reasonable. However, I am more in favor of
Why?
|
I'm all in favor of getting a working solution out of the door, but current solution does not cover this yet:
So we either need to use default values for CSP that allow basically everything (which is not a good idea) oder at least add header overrides to related functions. Overwriting the referrer-option may also be needed for gmaps, as I think one of the recommendations is to restrict use of API keys to a site (which then needs to be checked via client referrer) Also I see the level of code a bit differently:
|
I think you missed my point. To make a start, I have created:
Those Pull Requests provide a bit of value and we still can continue to work on the CSP header. |
Yes, I misunderstood, sorry. Will then include suggestions and remove headers covered by the spin-off tickets. |
With manageable you mean that modules can modify these headers? |
We need at absolute minimum to have a modified CSP in place for:
But that is no biggie, will put that on the to-do list with the other pending changes |
Ahh, I see you did already most of the changes needed in the spin-off tickets. |
I suggest to first, merging the spin-off PRs and keep this open as a reminder to work on the CSP header. |
Includes settings for cookies
fixes #179