Make the Content Security Policy for new accounts less aggressive

[hf02]

It seems that recently created accounts have a different and more restrictive Content Security Policy. As someone has encountered on Reddit, this breaks Cusdis.

Here's the policy on an account I just made:

content-security-policy: upgrade-insecure-requests; default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; connect-src 'self'; form-action 'self'; img-src * data:; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; font-src * data:; object-src *; media-src *; frame-src *;

And on my ~3 year old account:

content-security-policy: upgrade-insecure-requests; default-src 'unsafe-inline' 'unsafe-eval' 'self' data: blob: *

---

I just want to clarify for others:

This only prevents fetch() and <form> from making requests to another website, which can break some widgets that are added with a script tag. However, this does not prevent hotlinking images, scripts, styles, fonts, audio, videos, and flash.

[kyledrake]

I'm sorry but this is going to be a wontfix. We've had way too much abuse from allowing it, exceeding far more than the legitimate use cases, and we aren't supporting after-load connect-src from new free sites going forward. I've changed the plan info recently to reflect that this is going to be a supporter plan feature from here on out.

I suppose that a whitelist of connect-src sites could be made for CDNs and certain third party services, but that could end up getting long quick, and I'm not sure what the best way to do that would be.

[8bitKittyKat]

@kyledrake I know this issue is a wontfix, and can understand why, but I ran into problems with the security policy when all I wanted to do was use a javascript MIDI player to play MIDI music in the background of my Neocities page, as one would expect of the average user's Geocities-era page. MIDI files are even a supported upload file type for Neocities but they serve no purpose without a way to play them.

Personally I would like it if Neocities had backend support for emulating MIDI playback so that a simple <embed> or <bgsound> tag would work like in the old days when I had a Geocities page, using something like bg-sound, but could you perhaps at least add the required external data URLs for MIDIjs to a whitelist for the CSP?

I was getting “connect-src 'self' blob:” errors for multiple MIDI patch files the script was trying to load from https://cdn.scorio.com/midijs/

There are other javascript synthesizers such as webaudio-tinysynth but MIDIjs was just the first one I found.

Thank you.

[kyledrake]

@8bitKittyKat If you include code to play midi files on your site on Neocities, it should have no trouble loading the midi files if they are also being loaded from your site, or any other location on Neocities. If that is not the case, I want to try to fix it, but it has to be an example using code placed on a Neocities site.

Another way to think about this design change is that it makes all of the sites built on Neocities far more robust and increases their longevity, because if the third party resource you are using goes down or stops working, it will break functionality of your site. To illustrate that point well, the midi site you linked is not working because the midi files it references are now producing broken link 404 errors. That source has clearly fallen into disrepair and any sites that depend on it will probably break soon too. I would recommend looking at https://github.com/feross/timidity, which I've used in the past to emulate MIDI files with great success.

FWIW, this was not a fun decision for me to make. But too many criminals are abusing this functionality for malicious activity, and like most other platforms right now (how many sites let you login without your phone now?), we also need to circle the wagons; It's dangerous to the future of the site and the search rankings of our legitimate sites, and it's not compatible with our core mission to bring back individuals making fun, creative static HTML sites.

[8bitKittyKat]

@kyledrake Ah, sorry, there seems to be some misunderstanding. The MIDI files I'm using are in fact hosted on my Neocities site. I never tried to use any hosted elsewhere. The issue is the MIDI emulators (including feross/timidity, as you linked) use libraries and instrument patch files that can't be installed or hosted to a personal Neocities page, unless I'm missing something here. I run into issues when I try to use any of them. The first step of feross/timidity says to run npm install timidity and I'm fairly certain that's not possible on the user side. Manually copying the instrument patch files from Drum_000 and Tone_000 and libtimidity.wasm is also denied because they are not allowed filetypes.

To demonstrate as you asked, and using feross/timidity as you've linked, I've added the script from the instructions and pointed it to a MIDI file hosted on a test page at my Neocities site, but it won't work because of the missing requirements. The error is different than the other library I was using, but the result is the same.

https://8bitkittykat.neocities.org/_test/ You'll have to click Enter because the script I inserted is on a page inside of a frame that doesn't render correctly on its own because of the styling I've used.

The page in the frame is here if you want to just view the source.

And I completely understand wanting to keep Neocities secure, and appreciate its existence FWIW. Thanks for your time with my particular issue.

[8bitKittyKat]

I have attempted to use the feross/bg-sound package which is better aimed at my needs, and is linked in the readme of feross/timidity and suggested for anyone looking for a simpler way to use what the timidity package offers. However, this runs me into the same problem I was initially running into with the CSP.

Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://bitmidi.com/timidity/libtimidity.wasm because it violates the following directive: “connect-src 'self' blob:”

I've updated my test site from above here. The page on my site where the MIDI script is loaded is here.

There doesn't seem to be an easy way to play MIDI on Neocities now that I can figure out. I've seen other sites on Neocities, this one for example, that are able to do it but if I replicate what they're doing I run into issues with CSP again.

[kyledrake]

Just an update that I'm planning to work on this and make it so you can do midi support on your site but no ETA yet, stay tuned.

[8bitKittyKat]

@kyledrake Hey, I really appreciate you doing that. Thanks!

[Pigamer37]

Hi! I'm kind of new in terms of web developement, and I understand this is still wontfix. I will comment just in case I can get a solution.

I'm developing a port of a Computer Vision tool based on OpenCV ([https://kbs-lucas.neocities.org/tools/Lane-Detector] (https://kbs-lucas.neocities.org/tools/Lane-Detector)). Right now it works using the user's webcam, although OpenCV.js throws some CSP errors because it tries to load some data: URI's externally, but they don't seem important because the scripts works.

The real problem is that, now that I'm trying to implement an alternative to use an <input type="file"> tag to get a file instead of the camera feed, whenever I'm trying to use it it throws an error, I'll copy it:

Refused to load media from 'blob:https://kbs-lucas.neocities.org/[random numbers that point to the file]' because it violates the following Content Security Policy directive: "media-src *". Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme 'blob:' must be added explicitly.

As I said before, I'm new to this, but it seems strange. I understand it's a blob: and thus not explicitly included in the policy. I've tried loading it as data: but same thing (different error, but similar). Seems weird that I can get access to camera feeds but not to files users specified themselves. Maybe there's another way I can get around this? Just to clarify, everything happens client-side, of course.

Thanks in advance!

[kyledrake]

@Pigamer37 I think I have a fix for this, try it now.

[Pigamer37]

@kyledrake Just tried, same error.