search

owncloud-archive / maps

:globe_with_meridians: Maps app for ownCloud
GNU Affero General Public License v3.0
42 stars 20 forks source link

Modify content security policy #49

Closed Henni closed 9 years ago

Henni commented 9 years ago

fixes #47

probably breaks compatibility for owncloud < 8.1

DJaeger commented 9 years ago

Because of the compatibility break I have asked before I have created a PR. If a legacy version should be preserved, another branch should be created before.

DJaeger commented 9 years ago

For fixing

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf self blockiert ("script-src https://my.url 'unsafe-eval'").
onsubmit attribute on DIV element

I think you have to also add

        $csp->addAllowedScriptDomain('\'self\'');
brantje commented 9 years ago

Nice, thanks for your contribution! @LukasReschke What is the proper way to do this? Create an stable7 and a stable8 branch?

Henni commented 9 years ago

I added $csp->addAllowedScriptDomain('\'self\''); and made the code backwards compatible like @LukasReschke described at https://github.com/owncloud/maps/issues/47#issuecomment-129461851.

v1r0x commented 9 years ago

For me this only works, if I add

$csp->addAllowedImageDomain('*');
Henni commented 9 years ago

@v1r0x What errors are shown with the current implementation?

v1r0x commented 9 years ago 
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf self blockiert ("script-src https://owncloud.my.url https://owncloud.my.url 'unsafe-eval'").
onsubmit attribute on DIV element

Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf http://otile3.mqcdn.com/tiles/1.0.0/osm/15/17210/11312.png blockiert ("img-src https://owncloud.my.url https://otile1.mqcdn.com https://otile2.mqcdn.com https://otile3.mqcdn.com https://otile4.mqcdn.com").
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf http://otile2.mqcdn.com/tiles/1.0.0/osm/15/17210/11311.png blockiert ("img-src https://owncloud.my.url https://otile1.mqcdn.com https://otile2.mqcdn.com https://otile3.mqcdn.com https://otile4.mqcdn.com").
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf http://otile2.mqcdn.com/tiles/1.0.0/osm/15/17209/11312.png blockiert ("img-src https://owncloud.my.url https://otile1.mqcdn.com https://otile2.mqcdn.com https://otile3.mqcdn.com https://otile4.mqcdn.com").
Henni commented 9 years ago

@v1r0x did you use the master branch or did you checkout this pull-request when these errors occurred?

v1r0x commented 9 years ago

I checked out the pull request

Henni commented 9 years ago

@v1r0x which browser did you use?

brantje commented 9 years ago 
$csp->addAllowedImageDomain('www.openstreetmap.org');
DJaeger commented 9 years ago

@brantje: The blocked images doesn't came from osm but from mq, so this doesn't work.

The issue seems to be, that the images to load use http and allowed is only https. The csp class seems to prepend the currently used protokoll and @v1r0x seems to use https to access his owncloud. But we have to force http as mq only delivers tiles over http.

DJaeger commented 9 years ago

As of https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives we can also allow http://*.mqcdn.com or http://otile1.mqcdn.com http://otile2.mqcdn.com http://otile3.mqcdn.com http://otile4.mqcdn.com

DJaeger commented 9 years ago

As the csp class simply pass through the values this should work.

Henni commented 9 years ago

@DJaeger I applied your fix http://*.mqcdn.com

@v1r0x could you retest please.

v1r0x commented 9 years ago

works fine now! :) But I had to add

$csp->addAllowedImageDomain('https://api.tiles.mapbox.com');

as well for the markers

DJaeger commented 9 years ago

@v1r0x: You are right, they are also requested from another origin. I think they could be added to this repo some time later, as they can be found here: https://github.com/mapbox/maki This would minimize dependencies and requests to other origins and can also be handed by the caching preferences of owncloud.

Henni commented 9 years ago

For now I'll add https://api.tiles.mapbox.com to the Content-Security-Policies.

Henni commented 9 years ago

If you're happy with these changes I'll squash the commits.

Henni commented 9 years ago

I created an issue to integrate the icons: #52

DJaeger commented 9 years ago

Forcing https for the API is great, as it is hardcoded to https. Adding the specific subdomains would be more secure, but I think we can trust a subdomain wildcard for this domain enough to let it as it is. The third code comment is wrong, as it allows scripts to be loaded and not images.

Henni commented 9 years ago

I didn't completely understand the last rule. As far as I understand it was added because some image which is included in the script couldn't load. What would be a better comment in your opinion @DJaeger?

brantje commented 9 years ago

Looks good. :+1:

jancborchardt commented 9 years ago

Nice, looks great! :) @Henni cool to see you in here as well!

@LukasReschke @DJaeger can you give this a review too please? So with this Maps will only be compatible with 8.1+? (I’m fine with that, just confirming.)

Henni commented 9 years ago

@jancborchardt it should still be compatible for < 8.1 maybe @LukasReschke can confirm this.

DJaeger commented 9 years ago

An image can only be in a script as "data:" url, where it would require 

$csp->addAllowedImageDomain('data:');

and as I have now seen, we also require that for contact images.
This:

$csp->addAllowedScriptDomain('\'self\'');

is required to load scripts by scripts from the server. I don't know where we do it, but @v1r0x had such a request, that was blocked. I'm not sure, but it could be coursed by wrongly requesting json.

DJaeger commented 9 years ago

@jancborchardt: If I'm right it should be compatible with each oc8 version

Henni commented 9 years ago

@DJaeger what about oC7?

DJaeger commented 9 years ago

I'm sorry, I was wrong. We have not changed any compatibility with this PR.

jancborchardt commented 9 years ago

So we merge? :+1: from me :)

DJaeger commented 9 years ago

No, please add this line before:

$csp->addAllowedImageDomain('data:');
DJaeger commented 9 years ago

And change 

// images inside scripts

to

// scripts
jancborchardt commented 9 years ago

@Henni and maybe as a last thing squash the commits into one to keep history clean. :)

DJaeger commented 9 years ago

If these changes are done also :+1: from me

LukasReschke commented 9 years ago

Valid approach. I'd make it easier by just whitelisting * and also change the comment. Besides this: Good work :+1:

Henni commented 9 years ago

I removed $csp->addAllowedScriptDomain('\'self\''); as this is set by default. I added $csp->addAllowedImageDomain('data:'); as it is needed for inline images.

To sum it up, we now allow:

If you are all ok with this, let's merge it!

brantje commented 9 years ago

:+1: code looks good

DJaeger commented 9 years ago

:+1: from me.

Henni commented 9 years ago

@brantje @DJaeger great thanks!