search

getgrav / grav

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony
https://getgrav.org
MIT License
14.59k stars 1.41k forks source link

GRAV admin is not working with security.csp.enable = true in Firefox #3303

Open Artiom-M opened 3 years ago

Artiom-M commented 3 years ago

Look at the screenshot. Missing icons and other elements JS console is full of messages like

Content Security Policy: The page’s settings blocked the loading of a resource at

Screenshot_20210408_145702

GRAV is 1.7.10 and is working with CSP off.

Rotzbua commented 3 years ago

Grav does not add any CSP in HTML or HTTP. Must be an addon, plugin or webserver issue.

Artiom-M commented 3 years ago

Yes, I've found what was the problem. My assumption was that my instance is local only (no external resources loaded) but grav is using embedded resources with data: schema. So I have to include data: into my CSP configuration on the server side like:

font-src 'self' data:;

I can post a full CSP config that works with Grav if interested.

Rotzbua commented 3 years ago

Font? I never saw an data: embedded font in real websites. I just use it in img-src. The gravatar creates annoying reports but thats ok..

Artiom-M commented 3 years ago

Yes, in grav it is used in img-src. Here is a working CSP config:

"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com;"
mahagr commented 3 years ago

So adding this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com;">

should make admin fully work?

I think that we should add support for adding the tag into admin, maybe as admin configuration option with a useful default and ability to turn it off (empty?).

Artiom-M commented 3 years ago

I didn't try it this way, I am enforcing it in the webserver config, but yes, this policy lets admin work. For the frontend user should consider other external resources.

Rotzbua commented 3 years ago

I think the admin module is not using any google sources? There is still external image from gravatar.com so it should be allowed.

I think that we should add support for adding the tag into admin, maybe as admin configuration option with a useful default and ability to turn it off (empty?).

The report-uri property is missing. Maybe other plugins use external resources which has to be managed.

CSP is a modern security feature, but many devs do not have it in mind or do not like restrictions. I like CSP and I think it is a requirement for modern web pages but it has many pitfalls especially if you have external tools/plugins.

Artiom-M commented 3 years ago

Frontend (or one of my plugins/themes) is using it. You don't have to put all options there, default section could be sufficient. I think it should be a configurable option. So user can manage the content of the policy from Grav. With some semi automation (if possible) which will generate the policy based on active plugins as a default so user can review and adjust it..