Jump to content
Andreas Faust

ProcessWire and Content Security Policy (CSP)

Recommended Posts

Hello,

the ProcessWire-login-page uses an inline-script in the head-tag (defining the variable "ProcessWire"), which Content Security Policy doesn’t allow. 

Is there a way to fix this? Or does PW generally exclude CSP?

Share this post


Link to post
Share on other sites

Inline scripts are used widely in the admin interface, so this sounds like a case where you wouldn't want to enable CSP. It's fine to enable it on your front-end if it's something you want, or you could use the unsafe-inline keyword to get past this issue, though.

CSP is well-intentioned, but some of it's rules don't make that much sense in certain use cases, and our admin interface is in my opinion one of those cases. On the other hand ProcessWire doesn't dictate any of the markup you see on the front-end of your site :)

Note: this topic has been moved to the security forum.

  • Like 3

Share this post


Link to post
Share on other sites

Thank you for the quick reply, teppo.

So I’ll use only a meta-tag in the head of my template-files, instead writing a directive in PW’s .htaccess-file.

But I don’t understand, why CSP doesn’t make sense for the PW-backend. I tried it out by simply creating a (hardcoded) nonce for the described inline-script and the backend seems to work (on a basic level). Wouldn’t this (done with a real nonce, of course) improve PW’s security?

Share this post


Link to post
Share on other sites

I'm mainly thinking about the way ProcessWire makes it possible for third party modules to alter the source of a page, inject their own scripts or styles, etc. While this does indeed require a lot of trust in installed modules, it's something we wouldn't want to disallow. Inputfields are also something to consider: many third party inputfields rely on existing libraries, in which case the implementation details are more or less out of our hands.

Unless I'm missing something obvious here, CSP would mostly be useful if users were able to inject their own scripts or styles for other users to see. In order to do that, you'd either have to be a superuser and use some rather specific features to achieve this, or exploit a third party module that allows this. Latter option is definitely something to consider, but the first one not that much: generally speaking we consider users with access to the admin interface "trusted".. and superusers even more so.

While we could introduce a method of "registering" embedded content with the system, I'm not entirely sure if that's really worth it. It could make the lives of perfectly legitimate developers more difficult, while the benefits are, in my opinion, somewhat questionable. It's also good to keep in mind that this isn't something that would protect you from malignant / hacked third party modules: a module could simply hook into an earlier (or later) point in program execution and override any CSP rules you've got in place.

That being said, I'm not against the idea of implementing this as a configurable option. It would no doubt be possible for ProcessWire to generate nonces for any inline content it requires, and as long as this is a configurable setting, it shouldn't come as much of a surprise if some third party features stop working afterwards. While I don't see this as such a big thing and I'd imagine the potential use cases to be kind of limited, I'd be OK with this.. as long as it doesn't needlessly complicate things :)

  • Like 5

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By opalepatrick
      Hi there, wondering what others are thinking about CSP. I came a cropper after implementing it on a pw site of mine (as per 
      )
      but I do think that it makes a lot of sense and was disappointed to be demoted from an A+ to a D at https://observatory.mozilla.org after ripping it out to make my site admin work again. Any thoughts?
×
×
  • Create New...