search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
175 stars 37 forks source link

Add compliant CSP for emailveilig.internet.nl #951

Open baknu opened 1 year ago

baknu commented 1 year ago

See: https://internet.nl/site/emailveilig.internet.nl/2050978/#control-panel-29

Code can be found on https://github.com/internetstandards/emailveilig-landingspagina

bwbroersma commented 1 year ago

Currently the emailveilig-landingspagina private repo only has the bundled code.

Although the whole page is static, it's quite hard to generate a compliant CSP header. Quite some inline elements (1× script, 1× style and 16× svg), although you could generate¹ this for the inline elements:

default-src 'self' *.internet.nl;
frame-ancestors 'none';
base-uri 'self';
form-action 'none';
script-src 'self' 'sha256-l+ulRPvrk7FrAwczX8FUuwRIPZElf1mTABi3OYe1TdU=';
style-src 'sha256-9n79AR4f7nrBUqX+qbKRuYUydXIh2OAcfHswxO+NoPo=';
image-src 'self' *.internet.nl 'sha256-nl0zuKTYTg/Elz9CNlMUL4e+vUgYPJoWat/RW61oAx4=' 'sha256-OZjA9EFK9fNhSabFYR3v4j9Tgqrs9H9sbb6lrRujmCk=' 'sha256-N+T/rZDNSmT2W8yD0eosd5AMbFblD7vgB6AVyvaweFA=' 'sha256-V5e+hmOXc7GHWwm2ya3OZSwxqV8c3achWg8IscwPLhM=' 'sha256-JCPAlQMGNcpR+TrogTgfvVaVHRVx86pPZzjBMDouKEg=' 'sha256-N+T/rZDNSmT2W8yD0eosd5AMbFblD7vgB6AVyvaweFA=' 'sha256-OrhO8al+6oHlltRcTAHDKZWwY4fSHpnbbeqUgOStCpk=' 'sha256-v8FzIAcGGZSlGZzUtQqCTFJ44PbM+Btvam2XXYC/9Ps=' 'sha256-CPPBJsl8isQ1vuHRJBiSAkV9TCqjt6q3R/SV6Fi77NY=' 'sha256-6vXmE91CJ07zxHWaZG8a/+pxbHWJv/Bh80wA8kyMWQw=' 'sha256-rWAIYIHIs++M4HUawzot/tmibeuClKiORmSp7tEFvt4=' 'sha256-FCBxkddEmlgCt5dtQSy/29ArkJ+flu/kJObwhKes05A=' 'sha256-0OyjdtxC3HMG/fomM1Jj1aPAwuiPh6Yxs8ndAEXbMrc=' 'sha256-tk00Ce9Zxw1+RmGMcpvgMBwrVMaq9dFJ3pwtLdeM4go=' 'sha256-YmhsIpwYR6r6viB/NZkmFtYGWm+GUjCiIfAXYA0UahY=' 'sha256-SMABh/A0PVa0jYtxBQvmy+KX5mw5P+vvdSGpDBS15oE=';

However bundle.js is using eval, data:, etc...

¹ with some one-liner:

echo "default-src 'self' *.internet.nl; frame-ancestors 'none'; base-uri 'self'; form-action 'none';script-src 'self' 'sha256-$(curl -sSfA '' --compressed 'https://emailveilig.internet.nl/' |  xmllint --html --xmlout - 2>/dev/null | xmlstarlet sel -t -c '//script[1]/text()' | openssl dgst -sha256 -binary | openssl base64)'; style-src 'sha256-$(curl -sSfA '' --compressed 'https://emailveilig.internet.nl/' |  xmllint --html --xmlout - 2>/dev/null | xmlstarlet sel -t -c '//style[1]/text()' | openssl dgst -sha256 -binary | openssl base64)';image-src 'self' *.internet.nl$(curl -sSfA '' --compressed 'https://emailveilig.internet.nl/' |  xmllint --html --xmlout - 2>/dev/null | xmlstarlet sel -N svg="http://www.w3.org/2000/svg" -t -m '//svg:svg' -c '.' -n | sed -r 's@^<svg [^>]+>(.+)</svg>$@\1@g' | while read -r line; do; echo -n " 'sha256-$(echo -n "$line" | openssl dgst -sha256 -binary | openssl base64)'"; done);"
baknu commented 1 year ago

@lamalamaMark: Could you provide the source Javascript files, because now the emailveilig-landingspagina repo only contains the bundled code? Thanks.

lamalamaMark commented 1 year ago

@baknu It seems I don't have access anymore to this repo? If you provide access I can update the repo with the src files.

baknu commented 1 year ago

@lamalamaMark Sorry for my late reply. Just provided you with access. Please upload the source files. Thanks!

baknu commented 9 months ago

@lamalamaMark: ping :-)