A list of widgets breaking strict Content-Security-Policy (CSP) directives

[brownaa]

Is your proposal related to a problem?

See #1288. Wagtail uses inline javascript and styles to provide useful feedback to the user. This causes conflicts with CSP directives.

This issue attempts to list all of the potential places this occurs in the Wagtail codebase.

Directives to be reviewed:

• [x] script-src ((completed 2021-04-21))
• [ ] img-src
• [ ] font-src
• [x] style-src ((completed 2021-04-21))

Extra Notes

• The JS library modernizer-2.6.2.min.js is blocked by the style-src: 'self' CSP. You can trigger this by visiting /admin/

script-src: 'self'

Wagtail Admin

• [ ] wagtail/admin/edit_handlers.py

Wagtail Admin Templates

1. wagtail/admin/templates/wagtailadmin/

   • [ ] base.html
   • [ ] home.html
   • [x] login.html
   • [ ] skeleton.html

2. wagtail/admin/templates/wagtailadmin/edit_handlers/

   • [ ] wagtail/admin/templates/wagtailadmin/edit_handlers/inline_panel.html need to inspect how code is injected here to see if there are more ways this might break CSP

3. wagtail/admin/templates/wagtailadmin/home/

   • [ ] wagtail/admin/templates/wagtailadmin/home/locked_pages.html
   • [ ] wagtail/admin/templates/wagtailadmin/home/workflow_pages_to_moderate.html

4. wagtail/admin/templates/wagtailadmin/pages/

   • [ ] wagtail/admin/templates/wagtailadmin/pages/listing/_button_with_dropdown.html NOTE: need to inspect if this breaks CSP
   • [ ] wagtail/admin/templates/wagtailadmin/pages/workflow_history/detail.html
   • [ ] wagtail/admin/templates/wagtailadmin/pages/workflow_history/index.html
   • [ ] wagtail/admin/templates/wagtailadmin/pages/_editor_js.html
   • [ ] wagtail/admin/templates/wagtailadmin/pages/create.html NOTE: see comments above code linked here and check if relevant of if CSP still interprets this as an inline script
   • [ ] wagtail/admin/templates/wagtailadmin/pages/edit.html NOTE: see comments above code linked here and check if relevant of if CSP still interprets this as an inline script
   • [ ] wagtail/admin/templates/wagtailadmin/pages/index.html
   • [ ] wagtail/admin/templates/wagtailadmin/pages/preview_error.html NOTE: need to inspect if this breaks CSP
   • [ ] wagtail/admin/templates/wagtailadmin/pages/search.html

5. wagtail/admin/templates/wagtailadmin/permissions/includes/

   • [ ] wagtail/admin/templates/wagtailadmin/permissions/includes/collection_member_permissions_formset.html#L45-L51
   • [ ] wagtail/admin/templates/wagtailadmin/permissions/includes/collection_member_permissions_formset.html#L57-L71

6. wagtail/admin/templates/wagtailadmin/reports/

   • [ ] wagtail/admin/templates/wagtailadmin/reports/workflow.html

7. wagtail/admin/templates/wagtailadmin/shared/

   • [ ] wagtail/admin/templates/wagtailadmin/shared/locale_selector.html NOTE: need to inspect if this breaks CSP

8. wagtail/admin/templates/wagtailadmin/widgets/

   • [ ] wagtail/admin/templates/wagtailadmin/widgets/auto_height_text_input.html
   • [ ] wagtail/admin/templates/wagtailadmin/widgets/date_input.html
   • [ ] wagtail/admin/templates/wagtailadmin/widgets/datetime_input.html
   • [ ] wagtail/admin/templates/wagtailadmin/widgets/draftail_rich_text_area.html
   • [ ] wagtail/admin/templates/wagtailadmin/widgets/hallo_rich_text_area.html
   • [ ] wagtail/admin/templates/wagtailadmin/widgets/tag_widget.html
   • [ ] wagtail/admin/templates/wagtailadmin/widgets/time_input.html

9. wagtail/admin/templates/wagtailadmin/workflows/

   • [ ] index.html
   • [ ] includes/_edit_js.html
   • [ ] includes/workflow_pages_formset.html#L42-L48
   • [ ] includes/workflow_pages_formset.html#L55-L69

Wagtail Contrib

• [ ] wagtail/contrib/forms/templates/wagtailforms/index_submissions.html#L7-L81
• [ ] wagtail/contrib/modeladmin/templates/modeladmin/prepopulated_slugs.html#L2-L6
• [ ] https://wagtail/contrib/modeladmin/templates/modeladmin/includes/search_form.html#L19
• [ ] wagtail/contrib/redirects/templates/wagtailredirects/choose_import_file.html#L7-L13
• [ ] wagtail/contrib/redirects/templates/wagtailredirects/index.html#L9-L15
• [ ] wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/add.html#L45-L52
• [ ] wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/edit.html#L37-L44
• [ ] wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/index.html#L7-L13
• [ ] wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/includes/searchpromotions_formset.html#L9-L13
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L913-L926

Wagtail Documents

• [ ] wagtail/documents/templates/wagtaildocs/documents/add.html#L12-L18
• [ ] wagtail/documents/templates/wagtaildocs/documents/edit.html#L12-L18
• [ ] wagtail/documents/templates/wagtaildocs/documents/index.html#L6-L18
• [ ] wagtail/documents/templates/wagtaildocs/multiple/add.html#L60-L76
• [ ] wagtail/documents/templates/wagtaildocs/multiple/add.html#L94-L101

Wagtail Images

• [ ] wagtail/images/templates/wagtailimages/images/add.html#L12-L18
• [ ] wagtail/images/templates/wagtailimages/images/edit.html#L20-L26
• [ ] wagtail/images/templates/wagtailimages/images/index.html#L9-L21
• [ ] wagtail/images/templates/wagtailimages/multiple/add.html#L60-L82
• [ ] wagtail/images/templates/wagtailimages/multiple/add.html#L104-L117

Wagtail Snippets

• [ ] wagtail/snippets/templates/wagtailsnippets/snippets/type_index.html#L7-L13

Wagtail Users

• [ ] wagtail/users/templates/wagtailusers/groups/index.html#L6-L12
• [ ] wagtail/users/templates/wagtailusers/groups/includes/page_permissions_formset.html#L45-L51
• [ ] wagtail/users/templates/wagtailusers/users/index.html#L6-L16

Wagtail Utils

• [ ] wagtail/utils/widgets.py#L30 NOTE: this uses a unique approach in all of the wagtail codebase to inject inline scripts

style-src: 'self'

Wagtail Embeds

• [ ] wagtail/embeds/templates/wagtailembeds/embed_frontend.html#L1

Wagtail Admin

• [ ] wagtail/admin/templates/wagtailadmin/home/upgrade_notification.html#L3
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L7-L82
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L84
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L89
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L95
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L105
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L107
• [ ] wagtail/admin/templates/wagtailadmin/notifications/base.html#L117
• [ ] wagtail/admin/templates/wagtailadmin/pages/add_subpage.html#L23
• [ ] wagtail/admin/templates/wagtailadmin/pages/confirm_delete.html#L31
• [ ] wagtail/admin/templates/wagtailadmin/pages/edit_alias.html#L5
• [ ] wagtail/admin/templates/wagtailadmin/pages/search_results.html#L19
• [ ] wagtail/admin/templates/wagtailadmin/pages/search_results.html#L26
• [x] wagtail/admin/templates/wagtailadmin/pages/workflow_history/index.html#L11
• [ ] wagtail/admin/templates/wagtailadmin/permissions/includes/collection_member_permissions_formset.html#L31
• [ ] wagtail/admin/templates/wagtailadmin/shared/icons.html#L2
• [ ] wagtail/admin/templates/wagtailadmin/shared/locale_selector.html#L4
• [ ] wagtail/admin/templates/wagtailadmin/userbar/base.html#L9
• [ ] wagtail/admin/templates/wagtailadmin/workflows/includes/workflow_pages_formset.html#L28

Contrib

• [ ] wagtail/contrib/forms/templates/wagtailforms/list_submissions.html#L10
• [ ] wagtail/contrib/modeladmin/templates/modeladmin/index.html#L65
• [ ] wagtail/contrib/search_promotions/templates/wagtailsearchpromotions/includes/searchpromotion_form.html#L2
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L327
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L336
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L345
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L468-L474
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L757
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L777
• [ ] wagtail/contrib/styleguide/templates/wagtailstyleguide/base.html#L789-L803

Documents

• [ ] wagtail/documents/templates/wagtaildocs/multiple/add.html#L54
• [ ] wagtail/documents/templates/wagtaildocs/multiple/add.html#L65

Embeds

• [ ] wagtail/embeds/templates/wagtailembeds/embed_frontend.html#L1

Images

• [ ] wagtail/images/templates/wagtailimages/images/edit.html#L66
• [ ] wagtail/images/templates/wagtailimages/multiple/add.html#L54
• [ ] wagtail/images/templates/wagtailimages/multiple/add.html#L66

Users

• [ ] wagtail/users/templates/wagtailusers/groups/includes/page_permissions_formset.html#L31

[gasman]

Don't know if this is on your radar already, but a lot of inline <script> tags won't necessarily be in templates - in particular, form widgets inheriting from WidgetWithScript will contribute a lot of them.

[brownaa]

@gasman Thanks for the tip.

[brownaa]

script-src is done.

[brownaa]

style-src is done

[brownaa]

Example of how to add nonce to an inline <script> element. https://github.com/brownaa/wagtail/commit/0d497580581399cb52c148dd17899550f7febb94

Example of how to add nonce to an inline style element. https://github.com/brownaa/wagtail/commit/bc2738e540731fe47dcdc6273f6122a36e45eaa8

Based on my testing, it does not appear that we could add a nonce to a style attribute like <div style="display:none" nonce="r@nd0m">

[thibaudcolas]

Reading up / based on our discussion in Slack, we’ll need to get rid of those style="" attributes in HTML/Python, and in JavaScript switch any usage of setAttribute('style') to adding individual properties on the style DOM attribute: https://stackoverflow.com/a/29089970/1798491.

I couldn’t see any setAttribute('style') in Wagtail’s JS code, but there could be in our dependencies.

For style attributes in HTML, I could see two based on the list above that will be tricky to change:

• Responsive embeds. https://github.com/wagtail/wagtail/blob/b34d48297e737b5ebbe2d7f3d3af3fa6b527487f/wagtail/embeds/templates/wagtailembeds/embed_frontend.html#L1

Does some clever math. This would either require a <style> attribute with a nonce and adding styles via a unique id to each iframe… or I think we might be able to refactor this to use the more modern aspect-ratio CSS property.

• Image chooser renditions. https://github.com/wagtail/wagtail/blob/b34d48297e737b5ebbe2d7f3d3af3fa6b527487f/wagtail/images/templates/wagtailimages/images/edit.html#L66

This might be easier by setting the values via JS.

---

All the other style attributes in HTML can either be replaced with CSS classes, or the hidden HTML attribute.

[rob101]

Why not solve this with a Middleware class? E.g. assuming you are using django-csp to generate a nonce, you could follow something like this with BS4 to add attributes to tags:

from __future__ import annotations
from typing import Callable
from bs4 import BeautifulSoup

from django.http import HttpRequest, HttpResponse

class ScriptMiddleware:
    def __init__(self,
                 get_response: Callable[[HttpRequest], HttpResponse]) -> None:
        self.get_response = get_response

    def __call__(self, request: HttpRequest) -> HttpResponse:
        response = self.get_response(request)
        content = response.content.decode(response.charset)

        # Add nonce to scripts
        soup = BeautifulSoup(content)
        els = soup.find_all('script')
        for el in els:
            el.attrs['nonce'] = str(request.csp_nonce)
        response.content = str(soup)

        return response

[gasman]

@rob101 Because that's defeating the point of having CSP in the first place. If someone can sneak a <script> tag into the template through an XSS attack, this middleware will blindly mark it as trusted even though there's no checking to see where it came from.

[rob101]

@gasman XSS is usually client side isn't it, typically a browser side script injection? The middleware runs before DOM load so bad actor script tags would not be caught, unless I am missing something?

https://owasp.org/www-community/Types_of_Cross-Site_Scripting

[gasman]

@rob101 OK, yep, the third type described there (DOM Based XSS) is one that could conceivably be stopped by CSP with this middleware approach (in a setup where the malicious script isn't initially present in executable form as part of the served document, but is placed there as a result of running trusted client-side code with security flaws). I don't believe that's the most common type by a long way, though.

[lb-]

Workflow history detail will be solved via https://github.com/wagtail/wagtail/pull/8626

[lb-]

RFC 78 created https://github.com/wagtail/rfcs/pull/78 - with the goal of giving us a practical solution to widget scripts (amongst other things).

[lb-]

wagtail/contrib/redirects/templates/wagtailredirects/choose_import_file.html should be fixed by https://github.com/wagtail/wagtail/pull/8654

script was not even used for this view.

[lb-]

Login page - inline script to focus on username field has been replaced with autofocus attribute.

Via #8925

[lb-]

10045 will fix some of the script elements used as template tags in documents|images/mulitiple/add.

Hopefully will get a chance to update this main issue with all the things that are checked off.