Some style CSP settings block user stylesheets.

textpattern / server-config

Configuration files for Textpattern project servers.

The Unlicense

2 stars 2 forks source link

Some style CSP settings block user stylesheets. #73

Closed phiw13 closed 2 years ago

phiw13 commented 2 years ago

Affected sites: //textpattern.com and //docs.textpattern.com
Relevant part of the CSP rules (as seen on the main Textpattern site): style-src 'self' 'unsafe-inline';style-src-elem 'self';
Issue: style-src-elem 'self'; prevents Cascadea (user stylesheet extension for Safari) from affecting the page.
Error report (browser console): Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

Workaround: Add 'unsafe-inline' to the style-src-elem 'self'; rule.

PS - oddly maybe, this issue does not exist with Chromium based browsers with the Stylus extension, although the CSP is recognised and applied. Based on the available documentation (MDN), that seems wrong. But I might misunderstand something…

Tia.

petecooper commented 2 years ago

Workaround: Add 'unsafe-inline' to the style-src-elem 'self'; rule.

On the grounds we already have unsafe-inline for style-src (the fallback for style-src-elem, I am not averse to extending this to style-src-elem. I'll get this sorted today - thanks for the report @phiw13

petecooper commented 2 years ago

Should be live in ~30 minutes, updating Nginx and sundry components.

@phiw13 - please re-check after >30 minutes from this timestamp, feedback is appreciated. Thank you.

phiw13 commented 2 years ago

Am I missing something ? as of writing time (13:19 JST), I still see the same CSP values:

Content-Security-Policy: base-uri 'self';block-all-mixed-content;connect-src 'self';default-src 'none';font-src https://textpattern.com 'self';form-action 'self';frame-ancestors 'none';frame-src 'none';img-src https://textpattern.com data: 'self';manifest-src 'self';media-src data: 'self';object-src 'none';script-src https://textpattern.com 'self';style-src https://textpattern.com 'self';

(This is for the docs site)

Both Firefox and Safari used for testing.

cara-tm commented 2 years ago

Firefox latest on PC (warning messages in French: sorry, I'm French...):

today

phiw13 commented 2 years ago

@cara-TM Yes Firefox does not (yet) support the style-src directive, afaict. I noted that in the linked forum thread.

cara-tm commented 2 years ago

Ok.

petecooper commented 2 years ago

I used a third-party CSP checker (https://csp-evaluator.withgoogle.com) after I made changes yesterday, and both sites came back as updated.

Docs:

base-uri 'self';
block-all-mixed-content;
connect-src 'self';
default-src 'none';
font-src https://textpattern.com 'self';
form-action 'self';
frame-ancestors 'none';
frame-src 'none';
img-src https://textpattern.com data: 'self';
manifest-src 'self';
media-src data: 'self';
object-src 'none';
script-src https://textpattern.com 'self';
style-src https://textpattern.com 'self';
style-src-elem 'self' 'unsafe-inline';
style-src-attr 'unsafe-inline';

.com:

base-uri 'self';
block-all-mixed-content;
connect-src 'self';
default-src 'none';
font-src 'self';
form-action 'self';
frame-ancestors 'none';
frame-src 'none';
img-src data: 'self';
manifest-src 'self';
media-src data: 'self';
object-src 'none';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
style-src-elem 'self';
style-src-attr 'unsafe-inline';

phiw13 commented 2 years ago

Interesting: docs now comes up with the expected newly minted CSP header in both Safari and Firefox. The main textpattern.com still shows the old one.

Is that “something” cached somewhere on the network? (Cloudf. ?) All tests where performed with clean browser caches.

Closing as it is now just a waiting game for some cache to clear.