nodiscc
commented
4 years ago Open nodiscc opened 4 years ago
nodiscc
commented
4 years ago 
hydrargyrum
commented
2 years ago Since the web app does not require external resources, the CSP header could be set to something like default-src 'self', right? Maybe it should require 'unsafe-inline' too.
nodiscc
commented
2 years ago I have it set to "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com; frame-ancestors 'none'", youtube URLs are only needed for the playvideos plugin.
I have not tried to replace script-src with default-src
thican
commented
6 days ago Hello,
I think we should make a list of CSP violations for a default CSP with script-src 'self'; and style-src 'self'; so we can answer those issues. Using sources like unsafe-inline defeat the whole purpose of CSP.
Note: I personally added exceptions with source https://* for img-src and media-src, useful for external thumbnails and such.
I have a question about the vintage theme, is it still supported? I see multiple inline javascript contents, but I am not sure if we should fix them.
I also confirm my web browser reports violation with plugin playvideos but it looks like the issue comes from the jquery file shipped within this plugin, version 1.11.2 which seems quite old.
Shouldn’t we try to update it to see if this answers this CSP violation?
About style-src, the only place I see a violation is in the cloud tags page.
After reflection, nonce is not the best solution IMHO, as it requires to set CSP header which is not the case yet, and then removes the possibility to let the web host to set this header.
Class with exhaustive list of values in a dynamic CSS file could be a solution.
nodiscc
commented
5 days ago make a list of CSP violations for a default CSP with script-src 'self'; and style-src 'self';
:+1:
the vintage theme, is it still supported?
I wouldn't bother fixing those issues for the vintage theme right now, unless you use it personally.
Shouldn’t we try to update [playvideos jquery file]
Worth trying, and checking if that resolves CSP issues (and if the plugin still works with an updated jquery)
In
ApiMiddleware.php, Shaarli sets a few HTTP response headers (Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Origin). We could augment this list with security-related HTTP headers recommended by https://observatory.mozilla.org/, and add these headers to all Shaarli HTTP responses (not only the API).A vanilla Shaarli installation should pass most tests from the observatory, with minimal configuration required on the webserver side.
For instance we are missing the
Content-Security-Policyheader - I use to set a default, restrictive CSP at the webserver level but this is not documented - then it must be relaxed specifically for this plugin.