search

SURFscz / SRAM-deploy

Deploy scripts for the SCZ
Apache License 2.0
5 stars 5 forks source link

missing security headers on demo1 #516

Closed baszoetekouw closed 2 months ago

baszoetekouw commented 6 months ago 
### Tasks
mrvanes commented 5 months ago

The CSP headers break Etherpad and Worpdress, so don't merge yet!

baszoetekouw commented 3 months ago

@mrvanes what is the status of this? I see I've already merged the PR, but apparently I shouldn't have?

mrvanes commented 3 months ago

The CSP requirements and Etherpad/Wordpress can not be fullfilled at the same time I'm affraid

baszoetekouw commented 3 months ago

ok, laten we voor WP en etherpad relactere CSP headers gebruiken dan.

mrvanes commented 3 months ago

En dat betekent dus geen CSP headers voor de hele demo1 momenteel. Dan mag je die merge ook terugdraaien.

baszoetekouw commented 3 months ago

Relaxte CSP headers zijn nog steeds beter dan geen, wat mij betreft.

mrvanes commented 3 months ago

Eens, maar met mijn beperkte kennis van zaken is het me niet gelukt een setje te confabuleren dat werkt en EP en WP delen de CSP headers omdat het dezelde virtualhost is.

mrvanes commented 3 months ago

Met deze CSP:

Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.sram.surf.nl; frame-ancestors 'none'; block-all-mixed-content;"

Etherpad barks:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-13Xtc89MSfsDPErm3syFx70NQqw9DB0exK2LYLR9Bes='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Op 3 plekken

Wordpress barks:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-9lQoa6DxL3CLBHO/ruChS5qnmwmTp5M9Df4S5UOH97k='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-qakqfo0k3q+bzf4QOzmMxUPbAYdakC3HWGmfOL/BUC4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the stylesheet 'http://demo1.sram.surf.nl/wp/wp-includes/blocks/navigation/style.min.css/?ver=6.4.3' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Op tientallen plekken.

Heb je goeie ideeen voor minder strakke CSP?

baszoetekouw commented 2 months ago

works.