Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CSP so that the policy can be enforced and not just report only #346

Open
dalelane opened this issue Nov 5, 2020 · 3 comments
Open

Fix CSP so that the policy can be enforced and not just report only #346

dalelane opened this issue Nov 5, 2020 · 3 comments

Comments

@dalelane
Copy link
Member

dalelane commented Nov 5, 2020
edited
Loading

image

The CSP policy currently used is not correct.

taxinomitis/src/lib/restapi/config.ts

Lines 43 to 90 in 3d32953

export const CSP_DIRECTIVES = {
defaultSrc: ["'self'", "'unsafe-inline'",
'http://cdn.auth0.com',
'https://cdn.auth0.com',
'https://cdn.eu.auth0.com',
'https://unpkg.com',
'https://storage.googleapis.com',
'https://www.google-analytics.com',
],
styleSrc: ["'self'", "'unsafe-inline'",
'https://ton.twimg.com',
'https://platform.twitter.com',
],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'",
'http://cdn.auth0.com',
'https://cdn.auth0.com',
'https://cdn.eu.auth0.com',
'https://unpkg.com',
'https://storage.googleapis.com',
'http://embed-assets.wakelet.com',
'http://platform.twitter.com',
'https://cdn.syndication.twimg.com',
'https://www.youtube.com',
'https://player.vimeo.com',
'https://www.google-analytics.com',
'https://www.googletagmanager.com',
'https://browser.sentry-cdn.com',
'https://d3js.org',
],
frameSrc: ["'self'",
'http://embed.wakelet.com',
'https://syndication.twitter.com',
'https://platform.twitter.com',
'https://www.youtube.com',
'https://player.vimeo.com'
],
imgSrc: ["'self'",
'https://auth0.com',
'http://cdn.auth0.com',
'https://cdn.auth0.com',
'https://cdn.eu.auth0.com',
'https://pbs.twimg.com',
'https://ton.twimg.com',
'https://platform.twitter.com',
'https://syndication.twitter.com',
'data:',
],
};

This was brought to light after a recent version update of the helmet module. To avoid breakages, the CSP was switched to report-only as a temporary workaround.

taxinomitis/src/lib/restapi/index.ts

Lines 42 to 44 in e665e30

contentSecurityPolicy: {
// TODO : https://github.com/IBM/taxinomitis/issues/346 will remove this
reportOnly : true,

The CSP needs to be fixed so that the enforcement can be re-enabled.
@dalelane dalelane changed the title Fix CSP policy so that the policy can be enforced and not just report only Fix CSP so that the policy can be enforced and not just report only Nov 5, 2020
@dalelane dalelane mentioned this issue Nov 9, 2020
Closed
dalelane added a commit that referenced this issue Nov 25, 2020
@dalelane
chore: Check what CSP errors need investigating
e665e30 
Contributes to: #346

Signed-off-by: Dale Lane <[email protected]>
@dalelane
Copy link
Member Author

taxinomitis/src/lib/restapi/config.ts

Lines 52 to 54 in e665e30

styleSrc: ["'self'",
// TODO : https://github.com/IBM/taxinomitis/issues/346 should remove this
"'unsafe-inline'",

@dalelane
Copy link
Member Author

taxinomitis/src/lib/restapi/config.ts

Lines 59 to 62 in e665e30

scriptSrc: ["'self'",
// TODO : https://github.com/IBM/taxinomitis/issues/346 should investigate these
"'unsafe-eval'",
"'unsafe-inline'",

@dalelane
Copy link
Member Author

Some of the errors that these are hiding are from angular - see https://docs.angularjs.org/api/ng/directive/ngCsp for details

dalelane added a commit that referenced this issue Dec 4, 2020
@dalelane
fix: Improve CSP policy
fee3152 
Contributes to: #346

Signed-off-by: Dale Lane <[email protected]>
dalelane added a commit that referenced this issue Dec 11, 2020
@dalelane
fix: Remove use of eval to satisfy CSP
0664c32 
Contributes to: #346

Signed-off-by: Dale Lane <[email protected]>
dalelane added a commit that referenced this issue Dec 12, 2020
@dalelane
fix: CSP improvements
b99eb16 
Incremental improvements towards being able to enforce CSP
properly.

Contributes to: #346

Signed-off-by: Dale Lane <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dalelane