Content-Security-Policy should be documented or automatically set by server

[ftsell]

Summary

An working but restrictive Content-Security-Policy should either be given clearly in the documentation or (even better) set by the argocd server automatically.

Motivation

A Content-Security-Policy is a basic security measure to protect against cross site scripting attacks. While I do trust the project to undergo audits and generally take security considerations seriously when designing argocd, a CSP provides an additional layer of protection in case some vulnerability was missed. Implementing a minimal CSP is also comparatively simple since it only requires setting one HTTP header.

Ideally, a CSP should not only be documented but automatically set by the application server because it would remediate the risk of an administrator forgetting to set it in their web server or overlooking it in the documentation.

Proposal

As said before, the argocd server should return an appropriate CSP.

While an elaborate policy using nonces or hashes could be set up and would be better, a minimal policy would be a start. On my deployment the policy default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' while very broad keeps the application working. Note: I do not use any customizations, plugins or google analytics tracking. The given CSP might not work in those use cases since I have not tested it there.

[crenshaw-dev]

I think we have a default CSP set, it's just not very restrictive. https://github.com/argoproj/argo-cd/blob/3008b525f08fd3f0fc8562b7a8daecd0f375f773/cmd/argocd-server/commands/argocd_server.go#L194

So your recommendation would be that we 1) augment that default to include the items you've specified and 2) document that default. Is that correct?

[ftsell]

Yes that is correct

[deepto98]

Can I pick this up?

[crenshaw-dev]

@deepto98 absolutely! Let me know if you need any help. 🙂

[deepto98]

@crenshaw-dev I'm working on this, if I understand correctly, here: https://github.com/argoproj/argo-cd/blob/3008b525f08fd3f0fc8562b7a8daecd0f375f773/cmd/argocd-server/commands/argocd_server.go#L194 "frame-ancestors 'self';" needs to be replaced with default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' and the same needs to be documented in the usage string "Set Content-Security-Policy header in HTTP responses to value. To disable, set to \"\"."? Also, can you please point me to a doc to build and run the project locally?

[crenshaw-dev]

That's my understanding as well!

There are a few ways to run locally. Here's the documented way: https://argo-cd.readthedocs.io/en/stable/developer-guide/running-locally/

I usually just install the latest manifests and then re-tag images as necessary. :-P

[deepto98]

Okay, thanks

[deepto98]

@crenshaw-dev I've fixed this in #9787, do let me know if this works.

[crenshaw-dev]

@ftsell do you remember why you needed unsafe-eval?

[ftsell]

No I can't specifically tell you why that is necessary just that without it the GUI doesn't work

[crenshaw-dev]

@ftsell fwiw I just tested without unsafe-eval. It works if and only if I do a production webpack build instead of a development build.

[yossicohn]

@crenshaw-dev @ftsell from what I see when using a proxy (LB and k8s ingress resource) I get the CSP error and I guess it relates to what you are discussing here

[manish222agr]

@crenshaw-dev I've fixed this in #9787, do let me know if this works.

When do we plan to merge this pr, and in which tag will it be available.

[GeorgiDimv]

Hello, I have tried deploying argocd with: server.content.security.policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';

and it works fine. I can't find issues in the GUI. So my question is if there is a specific case of how they tested that the GUI is not working without script-src 'unsafe-eval' please let me know how to reproduce the error otherwise it is safe to say that we can remove the unsafe-eval?