search

railslove / rack-tracker

Tracking made easy: Don’t fool around with adding tracking and analytics partials to your app and concentrate on the things that matter.
https://www.railslove.com/open-source
MIT License
647 stars 121 forks source link

content security policy #143

Closed glaszig closed 4 years ago

glaszig commented 5 years ago

i just noticed my browser complaining that it's not executing google's evil js because my application has a csp header and the script-src is missing google as a source.

would it be a good idea to, based on the tracker, inject the script sources into the csp?

bumi commented 5 years ago

thanks for raising this topic! I think this is probably too complicated to automate - as we have many different integrations here and the CSP header can be rather complex (afaik). Also I don't think it is a good idea to automatically change a security header and users should do that intentionally. Would be good to hear other thoughts on this.

Maybe an entry in the readme should be added?

glaszig commented 5 years ago

the CSP header can be rather complex

no, it's actually quite simple. the parsing instructions are 6 points.

https://w3c.github.io/webappsec-csp/2/#syntax-and-algorithms

don't think it is a good idea to automatically change a security header

well, could be controllabe. but you'll need it guaranteed if you're deploying a csp.

bumi commented 5 years ago

so your suggestion would be to automatically add domains of the included integrations? we just need a general function (not just google), so each handler should know what domain(s) to add.

and maybe we can make this feature configurable.

glaszig commented 5 years ago

so your suggestion would be to automatically add domains of the included integrations?

either that or give a warning if a csp is set but missing the handler's sources. the warning maybe a sensible approach between modifying the header and doing nothing at all?

we just need a general function (not just google), so each handler should know what domain(s) to add.

yes

and maybe we can make this feature configurable.

yes. via an option.

glaszig commented 5 years ago

the nonce-src feature of csp just came to my mind. instead of adding each script url for each handler in use, rack-tracker could generate a nonce value, add that to each script tag and add that nonce to the csp. that's one single approach to white-list all rack-tracker-injected scripts independent from the tracker's actual script source.

https://w3c.github.io/webappsec-csp/2/#script-src-nonce-usage

DonSchado commented 5 years ago

yeah, I was also thinking about that topic for rack tracker a couple weeks ago. CSP is maybe the best mechanism available against XSS. But in my opinion it's not so easy to have a strong CSP and use tracking scripts at the same time.

Yes, one solution would definitely be a nonce based approach. Rails 5.2+ has this out of the box. We would just need to pass it through, when initializing the handler in the controller and add it to the script tags.

But the problem is that some tracking scripts (at least the famous ones) require the insafe-inline option on src and style directives. And when I understood CSP correct, you can't have both... using unsafe-inline for some scripts, but also use a nonce. 🤷‍♂

Which makes the whole use of a CSP policy pointless in my opinion... Working around this, would require a controller based decision, of enabling/disabling the CSP vs a nonce approach for others where you don't need tracking? I don't know. The Rails Guides have only a short entry on that topic.

Please advise :)

glaszig commented 5 years ago

But the problem is that some tracking scripts (at least the famous ones) require the insafe-inline option on src and style directives. And when I understood CSP correct, you can't have both

crap, you're right. was a nice dream, though.

Please advise :)

🤔

may be relevant: https://ayesh.me/google-analytics-csp

TL;DR ? Move your inline Analytics script to a separate file ✅ Allow scripts from www.google-analytics.com with script-src directive. ✅ Allow images from www.google-analytics.com with img-src. ➡️ Content-Security-Policy: script-src www.google-analytics.com; img-src www.google-analytics.com ⚠️Take note that the above is not your final CSP.

glaszig commented 5 years ago

also relevant, specifically for google: https://developers.google.com/tag-manager/web/csp tl;dr: it's a clusterfuck.

DonSchado commented 5 years ago

yeah CSP and tracking conflicts quite a lot :D

When there is no easy solution, I would recommend that we add a short general guidance on that topic to the readme. Would you like to start something for this? :)

DonSchado commented 4 years ago

I close this for now. Let's reopen this, when the topic comes up again