Content Security Policy rules to consider

[philwareham]

When we come to tighten up the CSP, here are all the potential rules it can have (see below). Note that some of these won't be applicable to our sites but we can either lock them down if unused or omit the rule. Some of these (not all) fallback to the default-src rule anyway if not defined - and I think we have set that to 'none' for each site - so that provides a modicum of security.

We can tick of each as they are considered/implemented/discarded:

• [x] base-uri (still deciding whether we should have none or self here) (self)
• [x] child-source (not used here as it defaults to default-src setting none)
• [x] connect-src
• [x] default-src (none)
• [x] font-src
• [x] form-action (self)
• [x] frame-ancestors (none)
• [x] frame-src
• [x] img-src
• [x] manifest-src (self)
• [x] media-src (self)
• [x] object-src (not used here as it defaults to default-src setting none)
• [x] report-to (not used)
• [x] require-trusted-types-for (not used)
• [x] sandbox (not used, i.e. disallows sandboxing)
• [ ] script-src
• [ ] script-src-attr
• [ ] script-src-elem
• [ ] style-src
• [ ] style-src-attr
• [ ] style-src-elem
• [x] trusted-types (not used)
• [x] upgrade-insecure-requests (unused, server handles HTTPS upgrades directly)
• [x] worker-src (none)

[philwareham]

@petecooper I've spent some time tightening these CSP rules, if you want to upload latest to server? I need to test some off the script and style ones work in situ before I tick the list off completely.

Also, unsure why you have a separate block for SVG in your config files?

[petecooper]

Nginx location block directives are only inherited from 'higher up' and there have been issues in the past with SVG being blocked on some browsers. See https://bugzilla.mozilla.org/show_bug.cgi?id=1262842 as a starter. This is basically a workaround to ensure that safe stuff is permitted in SVG only, while the rest of the site is locked down appropriately.

That said, it's been a while since I've reassessed the appropriateness of the SVG CSP stuff, so I'll take a look and rebuild when I have some time.

[philwareham]

OK, the only SVG that would be potentially affected by this was not essential, so I've removed it now.

Basically, you can remove the special CSP SVG block in all sites apart from the design patterns from 4.6 to 4.8.

[petecooper]

fyi confs uploaded and Nginx bounced just now.

[philwareham]

@petecooper in order to avoid using 'unsafe-inline' for our script-src directives, we need to look at generating nonces and apply those to certain inline JS within Textpattern (maybe useful for style-src as a last resort, but I think I can solve that with hashes).

This article might help create nonce values in Nginx: https://scotthelme.co.uk/csp-nonce-support-in-nginx/

More specifically this solution: https://scotthelme.co.uk/csp-nonce-support-in-nginx/#comment-3172187021

Can you investigate the Nginx side, I can then investigate the Textpattern side?

Looping in https://github.com/textpattern/textpattern/issues/1142 for future reference too.

[philwareham]

Note, I have removed block-all-mixed-content both from the list here and in the config files. See here for deprecation info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

[petecooper]

• [ ] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for