Initial draft of headers #483
Conversation
Includes settings for cookies fixes #179
M4LuZ
added
the
security issue
|
@lansuite/lansuite-developers : It would be good you give the proposal a try. |
|
Kudos, SonarCloud Quality Gate passed!
|
|
Kudos, SonarCloud Quality Gate passed!
|
|
Kudos, SonarCloud Quality Gate passed!
|
|
Kudos, SonarCloud Quality Gate passed!
|
|
(removing from milestone, as not critical and no feedback received so far) |
|
I am planning to review, check and test this one soon. |
|
I think some additional work needs to be done on this, as current values prevent external inclusions that would be needed for gmaps, analytics and I think also discord. |
I am sure there is a right set of attributes to allow / whitelist external includes. Let me check a bit about this.
I may not understand how EDIT: I got the reference with |
| @@ -9,7 +9,7 @@ function imageAuthCode($width, $height) { | |||
| $auth_code = md5($auth_code); | |||
| $auth_code = substr($auth_code, 0, 5); | |||
| $auth_code = strtoupper($auth_code); | |||
| setcookie('image_auth_code', md5($auth_code), time()+60*60 , '/'); | |||
| setcookie('image_auth_code', md5($auth_code), time()+60*60 , '/',"",$_SERVER['HTTPS'] == 'on' ? true : false, true); | |||
There was a problem hiding this comment.
For the HTTPS detection, we should use isSecure() by HttpFoundation, see https://github.com/symfony/http-foundation/blob/439fdfdd344943254b1ef6278613e79040548045/Request.php#L1043
It respects also proxies and loadbalancers.
I know, this might be tricky in the captcha here, but maybe we should switch to another captcha lib in this phase.
| @@ -715,7 +715,7 @@ private function cookie_set() | |||
| setcookie( | |||
| $this->cookie_name, | |||
| $this->cookiedata_pack(), | |||
| ['expires' => time()+3600*24*$this->cookie_time, 'path' => $this->cookie_path, 'domain' => $this->cookie_domain] | |||
| ['expires' => time()+3600*24*$this->cookie_time, 'path' => $this->cookie_path, 'domain' => $this->cookie_domain, 'secure' => $_SERVER['HTTPS'] == 'on' ? true : false, 'httponly' => true] | |||
There was a problem hiding this comment.
See HTTPS detection comment above - https://github.com/symfony/http-foundation/blob/439fdfdd344943254b1ef6278613e79040548045/Request.php#L1043
| header('Referrer-Policy: no-referrer'); | ||
| header("'Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self';"); | ||
| // Enforce HSTS if browsing via HTTPS | ||
| if ($_SERVER['HTTPS']=='on') { |
There was a problem hiding this comment.
Same comment on HTTPS detection - https://github.com/symfony/http-foundation/blob/439fdfdd344943254b1ef6278613e79040548045/Request.php#L1043
| @@ -114,6 +114,15 @@ | |||
|
|
|||
| // Set HTTP-Headers | |||
| header('Content-Type: text/html; charset=utf-8'); | |||
| header('X-Frame-Options: sameorigin'); | |||
| header('X-XSS-Protection: 1; mode=block'); | |||
| header('X-Content-Type-Options: nosniff'); | |||
There was a problem hiding this comment.
The idea of this header is great and I like the idea. However, according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options it says
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed.
I am not aware that we are sending proper mime types in every request. However, I see this as a pre-requisite to make use of this header (and keep this system working).
My suggestion: Commenting this header out for a later use once we got more confidence sending the right mime types
There was a problem hiding this comment.
I have more confidence that the right mime types are being sent, as a mapping is done by the webserver anyways based on file extension unless specifically told not do do so by configuration or overridden.
LS does set MIME-type specifically for file downloads e.g. in the gallery (see modules/picgallery/download.php)
So I see no issue with setting that (and also was not able to find one in superficial tests), but fine to leave it out for now
There was a problem hiding this comment.
| header('X-Content-Type-Options: nosniff'); | |
| // TODO: This header is still useful - Once we verified to send the correct MIME types, enable this header | |
| // header('X-Content-Type-Options: nosniff'); |
| header('X-XSS-Protection: 1; mode=block'); | ||
| header('X-Content-Type-Options: nosniff'); | ||
| header('Referrer-Policy: no-referrer'); | ||
| header("'Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self';"); |
There was a problem hiding this comment.
This might be tricky with the external libraries we include. We may need to specify domains on this one, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#example_3
I am not sure if this works.
What do you think about starting learn and only going with default-src 'self' at first?
That is a yes if you meant the response object and the related options / functions to manipulate headers in the response I'm in doubt if that is an easy implementation given the output buffer management done via LS and Smarty, so we may be better to use native functions or just a adequate wrapper for our management for now. |
Yes, I mean using the
Oh, we should use the lib to send the respective response headers. The challenge here: We don't use the response object at all right now.
I am in line with you. My suggestion: Merging these headers once we clarified the details. Migrating to the response object at some later point in time. This might be a bigger change. |
Co-authored-by: Andy Grunwald <andygrunwald@gmail.com>
Co-authored-by: Andy Grunwald <andygrunwald@gmail.com>
Actually...
|
|
|
@M4LuZ Your suggestion sounds reasonable. However, I am more in favor of
Why?
|
|
I'm all in favor of getting a working solution out of the door, but current solution does not cover this yet:
So we either need to use default values for CSP that allow basically everything (which is not a good idea) oder at least add header overrides to related functions. Overwriting the referrer-option may also be needed for gmaps, as I think one of the recommendations is to restrict use of API keys to a site (which then needs to be checked via client referrer) Also I see the level of code a bit differently:
|
I think you missed my point. To make a start, I have created:
Those Pull Requests provide a bit of value and we still can continue to work on the CSP header. |
|
Yes, I misunderstood, sorry. Will then include suggestions and remove headers covered by the spin-off tickets. |
With manageable you mean that modules can modify these headers? |
|
We need at absolute minimum to have a modified CSP in place for:
But that is no biggie, will put that on the to-do list with the other pending changes |
|
Ahh, I see you did already most of the changes needed in the spin-off tickets. |
I suggest to first, merging the spin-off PRs and keep this open as a reminder to work on the CSP header. |
Includes settings for cookies
fixes #179