Send a configurable CSP in every HTML response #9665
Conversation
|
@alecpl Same question for this: would reviews by other developers help you? |
|
I'm not sure it would help me, but it would likely help the pull request move forward. |
|
Are there other things we can do to ease your load? E.g. get more ticket work off your back? Or release/version/patch-management? I notice you're backporting many changes that go into the |
| $csp = $this->app->config->get('content_security_policy'); | ||
| if (!in_array($csp, ['', false, 'false'])) { | ||
| $csp_header = "Content-Security-Policy: {$csp}"; | ||
| if (isset($this->env['safemode']) && $this->env['safemode'] === true) { |
There was a problem hiding this comment.
This needs E2E test as it is it can very easily break security if coded wrongly.
There was a problem hiding this comment.
Testing is a good point 👍
Do you have something specific in mind regarding breaking security?
There was a problem hiding this comment.
I mean we need to be sure external resources are not fetched (otherwise spammers know what email addresses to spam even more) in every other case than explicitly configured so.
There was a problem hiding this comment.
I agree, but I think this change doesn't enlarge that danger. It only adds a Content-Security-Policy, which should reduce that danger. The safe-flag is not touched.
Do you see any way in which this change could be dangerous?
|
I'm not convinced that providing such configuration options is a good idea. |
|
I know nothing about CSP headers. From a Roundcube code style point of view only I would say that
is wrong and it should be
this means, i think, in common with other config values I would also say the comment in |
@alecpl Why? I thought some people might need to change the CSP (e.g. for plugins using external resources), and this way they wouldn't need to patch the code. |
@johndoh But your comments are helpful, thank you very much!
For some values that's right, but
Thank you for that catch! I'l solve that in code so admins can't break the CSP so easily by mistake. |
pabzm
force-pushed
the
always-send-csp
branch
from
e1f10e9
to
54928f4
Compare
The CSP gets adapted to remote objects being allowed or not. It can be configured or disabled via the config option `content_security_policy` (and `content_security_policy_add_allow_remote`).
pabzm
force-pushed
the
always-send-csp
branch
2 times, most recently
from
ba0ab41
to
a9e0110
Compare
I agree with this. I think in the past there has been issues with Personally I just don't like the |
pabzm
force-pushed
the
always-send-csp
branch
from
a9e0110
to
304ae70
Compare
If people write a lax default CSP they might set the additional config option to the blank string, or false. Then the CSP header should not contain that value.
pabzm
force-pushed
the
always-send-csp
branch
from
304ae70
to
feb8e9f
Compare
This way the code always has values it can work with, no matter how good or broken the configuration is.
Oh, I wasn't aware of that. Thank you for that explanation! Then we maybe should have a hardcoded value for all defaults. I changed the approach to specifying the default value in (I'd be happy to extend this approach to more config options, it would reduce some special case handling in
I also find it ugly, but I really like solid code, which isn't vulnerable to edge cases. But maybe checking against |
Previously the code also treated `'false'` (the string) as invalid, but that's a very specific check against a specific edge case, which wouldn't even break the code (but will only make the browser complain), so I'm dropping that check.
The config value might be something else than a string.
In the previous way useless semicolons could have happened.
We still support PHP v7, which doesn't support union types.
phpstan complains that `assertIsArray($config)` will always fail because it doesn't know about the side effects of `require`ing the default config.
pabzm
force-pushed
the
always-send-csp
branch
from
cfcabf0
to
fda480b
Compare
The CSP gets adapted to remote objects being allowed or not. It can be configured or disabled via the config option
content_security_policy(andcontent_security_policy_add_allow_remote).The default is pretty weak in order to not introduce a breaking change, but still not useless (e.g. it adds another layer of defence against loading remote objects unless allowed.)
Closes #9638