Open sevmonster opened 2 years ago
Find a way to not send form data when redirecting to another site with double-bangs so that every engine does not need to be added to CSP.
I don't have any issue with CSP & double-bang redirections on my server https://darmarit.org/searx/ .. (tested with FFox & Chrome)
I assume the issue is related to your modifications of the CSP .. here is my CSP
default_http_headers:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Download-Options: noopen
X-Robots-Tag: noindex, nofollow
Referrer-Policy: no-referrer
Content-Security-Policy: >-
default-src 'self' data
https://invidio.xamh.de
https://mp-tube.de
https://cdn-storage.br.de
https://*.akamaihd.net
https://player.vimeo.com
https://www.mixcloud.com
https://w.soundcloud.com
https://www.dailymotion.com
https://www.deezer.com
https://genius.com
https://apasfiis.sf.apa.at
https://media.tagesschau.de
;
img-src 'self' data:
https://*.tile.openstreetmap.org
https://maps.wikimedia.org
;
I assume the problem is caused by the form-cation self;
you added to your CSP header
It's not something I did. It's from the searxng-docker
Caddyfile.
In any case, it's still a problem to allow potentially sensitive form data (i.e. search queries) to go to any other site by punching it through CSP. Maybe this could be resolved by redirecting to an intersitial page to please CSP, then use Refresh: 0
headers to redirect to the desired URL?
It's not something I did. It's from the
searxng-docker
Caddyfile.
@dalf @mrpaulblack .. do you have the same issue with !!
bang redirections?
I haven't try the configuration, but it makes sense.
One way to fix the issue is to let SearXNG manage the CSP header, see https://github.com/searxng/searxng/issues/140
At first sight, SearXNG could send a CSP header which allows the redirection:
I assume the problem is caused by the
form-cation self;
you added to your CSP header
Seems no longer in the header / issue seems fixed: I tested on https://paulgo.io/ & https://searx.sev.monster/
@return42 And I just tested with both and neither worked :) I am not sure why you are not seeing the CSP header, maybe MITM proxy or extension conflict. Or maybe your browser is not parsing/enforcing CSP correctly.
If you wanted to be pedantic this could be considered a true bug for searxng-docker
where the default configuration still sets this header, and a feature request for this repository where it does not. However, at the moment there is still no functionality in SearxNG that can help redirect the user to the desired engine if they are using the Docker repo's Caddy CSP headers or similar, and submitting the search form with double-bang.
I am not sure why you are not seeing the CSP header
There is a CSP header but there is no form-cation self;
in the CSP header.
And I just tested with both and neither worked :)
For me it works, when I use you instance by example with this link !!alternativeto foo .. it opens directly https://alternativeto.net/browse/search/?q=foo in my browser.
There is a CSP header but there is no
form-cation self;
in the CSP header.
form-action
is very much there:
For me it works, when I use you instance by example with this link !!alternativeto foo .. it opens directly https://alternativeto.net/browse/search/?q=foo in my browser.
Yes, it will work if you use a direct link, because it is not triggering form-action
, because a direct link is not a form. Currently there is no CSP or other feature that blocks redirects on direct links.
Go to the page instead and attempt this from the search box. Unless your situation is strange it will not work.
Excerpt of site's Nginx configuration:
location / {
proxy_pass http://searxng;
include includes/proxy.conf;
# hide searxng default headers that we already set
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-Robots-Tag;
proxy_hide_header Referrer-Policy;
# @notimageproxy
set $csp "upgrade-insecure-requests";
set $csp "$csp;default-src 'none'";
set $csp "$csp;script-src 'self'";
set $csp "$csp;style-src 'self' 'unsafe-inline' https://sev.monster";
set $csp "$csp;form-action 'self' https://github.com/searxng/searxng/issues/new";
set $csp "$csp;font-src 'self'";
set $csp "$csp;frame-ancestors 'self'";
set $csp "$csp;base-uri 'self'";
set $csp "$csp;connect-src 'self' https://overpass-api.de";
#set $csp "$csp;img-src 'self' data: https://*.tile.openstreetmap.org";
# allow non-proxied images
set $csp "$csp;img-src * data:";
set $csp "$csp;frame-src";
set $csp "$csp https://www.youtube-nocookie.com https://player.vimeo.com";
set $csp "$csp https://www.dailymotion.com https://www.deezer.com";
set $csp "$csp https://www.mixcloud.com https://w.soundcloud.com";
set $csp "$csp https://embed.spotify.com";
more_set_headers "Content-Security-Policy: $csp";
I could fix this on my site by not enforcing form-action
or by adding every engine's redirect, but I have not done that yet nor do I really want to.
Go to the page instead and attempt this from the search box. Unless your situation is strange it will not work.
The link I gave was just an example what typed into the search form on your engine:
then I press ENTER and it opens https://alternativeto.net/browse/search/?q=foo
Oops .. sorry .. nut sure why, but in my FFox it works .. in my Chrome's console I see:
It's not something I did. It's from the
searxng-docker
Caddyfile.
Then we have to fix it in searxng-docker .. I will transfer this ticket to searxng-docker.
It works on paulgo.io
I see only one POST for the SearXNG instance, then the response contains a Location
header. I can't make a link between the Location
header and the form CSP. It seems I'm missing something.
Doesn't work here under Chromium 116.
I can't make a link between the Location header and the form CSP.
When you submit a form, the browser keeps track of the source and destination. If there is a CSP header with form-action
from the form's page's response, those rules get applied. If the response is a 3xx redirect with valid Location
, that becomes the new form submission target (or at least it should). In this case, that means the page load is canceled because it fails CSP. I can't tell you why it works on FF and not Chrome, redirects have always been weird between browsers.
The error above is a bit misleading since it seems to be reporting the intermediate URL and not the final URL.
A better solution to this that doesn't rely on #114 is to use an interstitial that loads with a 200 code then redirects, like DuckDuckGo. This will "consume" the form submission and not pass it on to the double bang redirect, and has the added benefit of stripping Referer
in case the browser erroneously added it. For example, the query !w hello
redirected me to:
https://duckduckgo.com/l/?uddg=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSpecial%3ASearch%3Fsearch%3Dhello%26go%3DGo&rut=496d5d3de3f11b63a22edc6e08d7b7d8dc953e17bc9400c62b1114ff8e6ca239
Is your feature request related to a problem? Please describe. When using double-bangs with POST requests, the site you will be redirected to must be added to
form-action
CSP else it will be blocked for violation.Describe the solution you'd like Find a way to not send form data when redirecting to another site with double-bangs so that every engine does not need to be added to CSP.
Describe alternatives you've considered Started adding sites to CSP—it quickly becomes unmaintainable.
Example On my server, try to search for "Nagios !!alternativeto". Since I did not add
alternativeto.net
toform-action
, this is the result:Additional context Related: https://github.com/searxng/searxng/issues/140 I totally opened this in the wrong repository first.