Jump to content

ProcessWire and Content Security Policy (CSP)


Andreas Faust
 Share

Recommended Posts

Inline scripts are used widely in the admin interface, so this sounds like a case where you wouldn't want to enable CSP. It's fine to enable it on your front-end if it's something you want, or you could use the unsafe-inline keyword to get past this issue, though.

CSP is well-intentioned, but some of it's rules don't make that much sense in certain use cases, and our admin interface is in my opinion one of those cases. On the other hand ProcessWire doesn't dictate any of the markup you see on the front-end of your site :)

Note: this topic has been moved to the security forum.

  • Like 3
Link to comment
Share on other sites

Thank you for the quick reply, teppo.

So I’ll use only a meta-tag in the head of my template-files, instead writing a directive in PW’s .htaccess-file.

But I don’t understand, why CSP doesn’t make sense for the PW-backend. I tried it out by simply creating a (hardcoded) nonce for the described inline-script and the backend seems to work (on a basic level). Wouldn’t this (done with a real nonce, of course) improve PW’s security?

Link to comment
Share on other sites

I'm mainly thinking about the way ProcessWire makes it possible for third party modules to alter the source of a page, inject their own scripts or styles, etc. While this does require a lot of trust in installed modules, it's also something we wouldn't want to disallow. Inputfields are another thing consider: many third party inputfields rely on existing libraries, in which case the implementation details are more or less out of our hands.

Unless I'm missing something obvious, CSP would mostly be useful if users were able to inject their own scripts or styles for other users to see. In order to do that, you'd either have to be a superuser and use some rather specific features to achieve this, or exploit a third party module that allows this. Latter option is absolutely something to consider, but the first one not that much: generally speaking we consider users with access to the admin interface "trusted"... and superusers even more so.

While we could introduce a method of "registering" embedded content with the system, I'm not entirely sure if that's worth it. It could make the lives of perfectly legitimate developers more difficult, while the benefits are — in my opinion — somewhat questionable. It's also good to keep in mind that this isn't something that would protect you from malicious / hacked third party modules: a module could simply hook into an earlier (or later) point in program execution and override any CSP rules you've got in place.

That being said, I'm not against the idea of implementing this as a configurable option. It would no doubt be possible for ProcessWire to generate nonces for any inline content it requires, and as long as this would be a configurable setting, it shouldn't come as much of a surprise if some third party features stopped working afterwards. I don't see this as such a big thing and I'd imagine the potential use cases to be limited, I for one would be OK with this as long as it doesn't needlessly complicate things ?

  • Like 5
Link to comment
Share on other sites

  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...