Missing support for the Content Security Policy Header

[bicf]

Due missing of CSP in Yii2 I develop a basic support of CSP.

Following the "Git workflow for Yii 2 contributors" I open this issue.

[bizley]

What support do you require? CSP can be already used.

I've prepared something for this:

• extended Response class
• no-inline-JS component to work with CSP rules

[bicf]

I try to reduce as much as possible the impact of the modify in the code but I've some doubts:

• Yii:$app->csp is a good name for the component?
• the hash of the JS is calculated on the registed scripts (registerJs) probably need to expose a function to calc the hash for spot scripts
• where "store" the documentation

TIA

[bizley]

It was prepared rather for internal usage hence lack of documentation. I could gladly help with adding something similar to the core. But if this should stay as outside package I can publish it properly.

[bicf]

LOL If it's good for you, I'll write the missing documentation as java-comment in a new commit

[bizley]

I'm a bit confused. I thought you don't understand some parts of my code - not whether we are adding this to Yii 2 core or not. None of Yii 2 team members said anything yet. I'm perfectly capable of writing documentation on my own, thank you.

My question is more for an idea behind this component:

• Should it be only a basic support for CSP rules headers without handling inline assets?
• Should inline assets be taken into account? It makes it more complex then.

[bicf]

Sorry, I totally misunderstood your comments. I was thinking you're talking about my PR 13964!

About this implementaton I think that:

• must be backward compatible
• must support all CSP2 tag
• should support JS in-line-assets if using Yii functions (registerJs,..)
• should not support CSS in-line
• should be easy to propagate inside the framework and plugins

I see your codes and my comments are:

• I like the idea of a safer Response releasing all the "security headers"
• but I don't like "SafeResponse" class, should be a "Response" with a differente namespace, but this is a detail
• I really don't like the use of SESSION to address the in-line code could become a serious bottleneck (see my solution)

PS I don't want to be "negative" with my "don't like"

[uran1980]

@see https://github.com/paragonie/csp-builder

[bicf]

Hi, I develop a an yii2 extension to release all the security headers based on modules. It realease the CSP header too @see https://github.com/bicf/yii2-security-headers

ADD Even if the code is working (ex quite good HAHAHAHA), all the documentation is still WIP and I'll apreciate feed-back

[samdark]

There's https://github.com/middlewares/csp we can use right away.

[samdark]

Closing for now. Will consider our own if the one above won't work well.

[bicf]

Hi,

I like very much the PSR-7 implementation of https://github.com/middlewares/csp but how is the integration of PSR-7 in yii2?

https://github.com/paragonie/csp-builder has a strong approach on generating HASH by "scanning" the sources (CSS, JS) directories but this approach need at least one more step (regenerate the hashes) after an update by composer or any changes in the JS/CSS files.

Futhermore this approach do not allow the nonce signature, "only" to send the CSP header, and that's a big limitation when you cannot trust self because a carrier or a virus inject a malicious JS in your pages.

I've refactored my yii2-security-headers now it has a smaller footprint and a better documentation. I think it could be more effective with a PSR-7 + PSR-15 implementation and optionally integrate the https://github.com/paragonie/csp-builder so I'm hope in a quick response about the PSR-7 integration in yii.

[samdark]

how is the integration of PSR-7 in yii2?

There won't be any integration of PSR-7 into Yii 2. It is Yii 3 only.