Handle double-bang redirections better for CSP

[sevmonster]

Is your feature request related to a problem? Please describe. When using double-bangs with POST requests, the site you will be redirected to must be added to form-action CSP else it will be blocked for violation.

Describe the solution you'd like Find a way to not send form data when redirecting to another site with double-bangs so that every engine does not need to be added to CSP.

Describe alternatives you've considered Started adding sites to CSP—it quickly becomes unmaintainable.

Example On my server, try to search for "Nagios !!alternativeto". Since I did not add alternativeto.net to form-action, this is the result:

Additional context Related: https://github.com/searxng/searxng/issues/140 I totally opened this in the wrong repository first.

[return42]

Find a way to not send form data when redirecting to another site with double-bangs so that every engine does not need to be added to CSP.

I don't have any issue with CSP & double-bang redirections on my server https://darmarit.org/searx/ .. (tested with FFox & Chrome)

I assume the issue is related to your modifications of the CSP .. here is my CSP

  default_http_headers:
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    X-Download-Options: noopen
    X-Robots-Tag: noindex, nofollow
    Referrer-Policy: no-referrer
    Content-Security-Policy: >-
      default-src 'self' data
      https://invidio.xamh.de
      https://mp-tube.de
      https://cdn-storage.br.de
      https://*.akamaihd.net
      https://player.vimeo.com
      https://www.mixcloud.com
      https://w.soundcloud.com
      https://www.dailymotion.com
      https://www.deezer.com
      https://genius.com
      https://apasfiis.sf.apa.at
      https://media.tagesschau.de
      ;
      img-src 'self' data:
      https://*.tile.openstreetmap.org
      https://maps.wikimedia.org
      ;

I assume the problem is caused by the form-cation self; you added to your CSP header

[sevmonster]

It's not something I did. It's from the searxng-docker Caddyfile. In any case, it's still a problem to allow potentially sensitive form data (i.e. search queries) to go to any other site by punching it through CSP. Maybe this could be resolved by redirecting to an intersitial page to please CSP, then use Refresh: 0 headers to redirect to the desired URL?

[return42]

It's not something I did. It's from the searxng-docker Caddyfile.

@dalf @mrpaulblack .. do you have the same issue with !! bang redirections?

[dalf]

I haven't try the configuration, but it makes sense.

One way to fix the issue is to let SearXNG manage the CSP header, see https://github.com/searxng/searxng/issues/140

At first sight, SearXNG could send a CSP header which allows the redirection:

• the response to the POST method contains the redirection and a specific CSP header which allow the redirection
• for usual results, the CSP header allows only the instance URL for the HTML forms.

[return42]

I assume the problem is caused by the form-cation self; you added to your CSP header

Seems no longer in the header / issue seems fixed: I tested on https://paulgo.io/ & https://searx.sev.monster/

[sevmonster]

@return42 And I just tested with both and neither worked :) I am not sure why you are not seeing the CSP header, maybe MITM proxy or extension conflict. Or maybe your browser is not parsing/enforcing CSP correctly.

If you wanted to be pedantic this could be considered a true bug for searxng-docker where the default configuration still sets this header, and a feature request for this repository where it does not. However, at the moment there is still no functionality in SearxNG that can help redirect the user to the desired engine if they are using the Docker repo's Caddy CSP headers or similar, and submitting the search form with double-bang.

[return42]

I am not sure why you are not seeing the CSP header

There is a CSP header but there is no form-cation self; in the CSP header.

And I just tested with both and neither worked :)

For me it works, when I use you instance by example with this link !!alternativeto foo .. it opens directly https://alternativeto.net/browse/search/?q=foo in my browser.

[sevmonster]

There is a CSP header but there is no form-cation self; in the CSP header.

form-action is very much there:

For me it works, when I use you instance by example with this link !!alternativeto foo .. it opens directly https://alternativeto.net/browse/search/?q=foo in my browser.

Yes, it will work if you use a direct link, because it is not triggering form-action, because a direct link is not a form. Currently there is no CSP or other feature that blocks redirects on direct links.

Go to the page instead and attempt this from the search box. Unless your situation is strange it will not work.

Excerpt of site's Nginx configuration:

location / {
        proxy_pass http://searxng;
        include includes/proxy.conf;

        # hide searxng default headers that we already set
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-XSS-Protection;
        proxy_hide_header X-Robots-Tag;
        proxy_hide_header Referrer-Policy;

        # @notimageproxy
        set $csp "upgrade-insecure-requests";
        set $csp "$csp;default-src 'none'";
        set $csp "$csp;script-src 'self'";
        set $csp "$csp;style-src 'self' 'unsafe-inline' https://sev.monster";
        set $csp "$csp;form-action 'self' https://github.com/searxng/searxng/issues/new";
        set $csp "$csp;font-src 'self'";
        set $csp "$csp;frame-ancestors 'self'";
        set $csp "$csp;base-uri 'self'";
        set $csp "$csp;connect-src 'self' https://overpass-api.de";
        #set $csp "$csp;img-src 'self' data: https://*.tile.openstreetmap.org";
        # allow non-proxied images
        set $csp "$csp;img-src * data:";
        set $csp "$csp;frame-src";
        set $csp "$csp https://www.youtube-nocookie.com https://player.vimeo.com";
        set $csp "$csp https://www.dailymotion.com https://www.deezer.com";
        set $csp "$csp https://www.mixcloud.com https://w.soundcloud.com";
        set $csp "$csp https://embed.spotify.com";

        more_set_headers "Content-Security-Policy: $csp";

I could fix this on my site by not enforcing form-action or by adding every engine's redirect, but I have not done that yet nor do I really want to.

[return42]

Go to the page instead and attempt this from the search box. Unless your situation is strange it will not work.

The link I gave was just an example what typed into the search form on your engine:

then I press ENTER and it opens https://alternativeto.net/browse/search/?q=foo

Oops .. sorry .. nut sure why, but in my FFox it works .. in my Chrome's console I see:

It's not something I did. It's from the searxng-docker Caddyfile.

Then we have to fix it in searxng-docker .. I will transfer this ticket to searxng-docker.

[dalf]

It works on paulgo.io

I see only one POST for the SearXNG instance, then the response contains a Location header. I can't make a link between the Location header and the form CSP. It seems I'm missing something.

[sevmonster]

Doesn't work here under Chromium 116.

I can't make a link between the Location header and the form CSP.

When you submit a form, the browser keeps track of the source and destination. If there is a CSP header with form-action from the form's page's response, those rules get applied. If the response is a 3xx redirect with valid Location, that becomes the new form submission target (or at least it should). In this case, that means the page load is canceled because it fails CSP. I can't tell you why it works on FF and not Chrome, redirects have always been weird between browsers.

The error above is a bit misleading since it seems to be reporting the intermediate URL and not the final URL.

A better solution to this that doesn't rely on #114 is to use an interstitial that loads with a 200 code then redirects, like DuckDuckGo. This will "consume" the form submission and not pass it on to the double bang redirect, and has the added benefit of stripping Referer in case the browser erroneously added it. For example, the query !w hello redirected me to:

https://duckduckgo.com/l/?uddg=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSpecial%3ASearch%3Fsearch%3Dhello%26go%3DGo&rut=496d5d3de3f11b63a22edc6e08d7b7d8dc953e17bc9400c62b1114ff8e6ca239