Jump to content
Sign in to follow this  
opalepatrick

Content Security Policy

Recommended Posts

Hi there, wondering what others are thinking about CSP. I came a cropper after implementing it on a pw site of mine (as per 

)

but I do think that it makes a lot of sense and was disappointed to be demoted from an A+ to a D at https://observatory.mozilla.org after ripping it out to make my site admin work again. Any thoughts?

Share this post


Link to post
Share on other sites

Could you please explain what you actually did (please give some details) and maybe someone can help you?  Thanks.

Share this post


Link to post
Share on other sites

Well I was just hoping to spark a conversation, cstevensjr, about CSP as the resolution was in the other thread. But basically I had added a CSP to my site that essentially made the admin area unusable because of the pw requirements. I removed the policies from my .htaccess to resolve.

Share this post


Link to post
Share on other sites

Hello @opalepatrick,

I don't have any experience with CSP, but there was already a little discussion about this topic in this thread:

From what I understand is, that you could use CSP in your front end with PHP if you like. But for the back end it is not possible, as you already have experienced. ;)

Regards, Andreas

Share this post


Link to post
Share on other sites

HI @AndZyk, yes I read that and was a bit surprised that there had not been a discussion since, especially as there seems to be a bit of movement from people like Mozilla to pay more attention to it.

I just wondered if there is anything being considered in development that may address it. Or, maybe, that it is not worth bothering about?

Share this post


Link to post
Share on other sites

 

Here are some links that should give you some insight to where CSP is at:

https://www.w3.org/TR/CSP2/

http://caniuse.com/#feat=contentsecuritypolicy2

https://content-security-policy.com/

https://www.keycdn.com/blog/http-security-headers/

Microsoft - https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/security/content-security-policy

Google - https://developers.google.com/web/fundamentals/security/csp/

Mozilla -  https://hacks.mozilla.org/2016/02/implementing-content-security-policy/

                  https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Opera -   https://dev.opera.com/extensions/architecture-overview/

 

It is also known (reported) that Safari may not be so CSP compliant.   I don't believe that Apple has an official Content Security policy.

Best Regards,

Charles

  • Like 1

Share this post


Link to post
Share on other sites

Thanks @cstevensjr - I think those links will be useful to people. I wonder if it is possible to apply CSP in .htaccess for the site part only (not using meta tags)?

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Chris Bennett
      Plenty of posts on the forum relating to Content Security Policy (CSP) and how to integrate it with Processwire.
      It's not too hard to implement a decent htaccess CSP that will get you a solid B+ at Mozilla Observatory.
      If you're after A+ it's a little harder because of all the back-end stuff... until you realize it's surprisingly easy.
      After a lot of testing, the easiest way I found was to specify only what is needed in the htaccess and then add your required CSP as a meta in your page template.
      Plenty of people have suggested similar. Works very easily for back-end vs front-end, but gets complicated if you want front page editing.
      Luckily, a little php will preserve back-end and front page editing capabilities while allowing you to lock down the site for anyone not logged in. 
      None of this is rocket science, but CSPs are a bit of a pain the rear, so the easier the better, I reckon 😉
      The only CSP I'd suggest you include in your site htaccess is:
      Header set Content-Security-Policy "frame-ancestors 'self'" The reason for this is you can't set "frame-ancestors" via meta tags.
      In addition, you can only make your CSP more restrictive using meta tags, not less, so leaving the back-end free is a solid plan to avoid frustration.
      Then in your public front-facing page template/s, add your desired Content Security Policy as a meta tag.
      Please note: your CSP should be the first meta tag after your <head>.

      For example:
       
      <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Security-Policy" content="Your CSP goes here"> <!-- followed by whatever your normal meta tags are --> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> If you haven't got Front Page Editing enabled, this works fine by itself.
      Just one extra step is needed to make sure you don't have to worry either way. 
      The easiest way I found to allow both CSP and front page editing capabilities is the addition of a little php, according to whatever your needs are.
      Basically, if the user is a guest, throw in your CSP, if they're not do nothing.
      It's so simple I could have kicked myself when it finally dawned on me.
      I wish it had clicked for me earlier in my testing, but it didn't so I'm here to try to save some other person a little time.
      Example:
      <!DOCTYPE html> <html> <head> <?php if ($user->isGuest()): ?> <meta http-equiv="Content-Security-Policy" content="Your CSP goes here"> <?php endif; ?> <!-- followed by whatever your normal meta tags are --> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no">  
      If you want it a bit more involved then you can add additional tests and be as specific as you like about what pages should get which CSP.
      For example, the following is what I use to expand the scope of the CSP only for my "map" page:
      <?php $loadMap = $page->name === "map"; ?> <!DOCTYPE html> <html> <head> <?php if ($user->isGuest()): ?> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'self'; manifest-src 'self'; form-action 'self'; font-src 'self' data: https://fonts.gstatic.com; frame-src 'self' https://www.youtube.com; img-src 'self' data:<?php echo ($loadMap) ? " https://maps.googleapis.com https://maps.gstatic.com" : ""; ?> https://www.google-analytics.com; script-src 'self' <?php echo ($loadMap) ? "https://maps.googleapis.com " : ""; ?>https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' <?php echo ($loadMap) ? "'unsafe-inline' https://fonts.googleapis.com" : ""; ?>"> <?php endif; ?>  Hope this saves someone a little time testing.
      https://observatory.mozilla.org/analyze/bene.net.au
    • By Andreas Faust
      Hello,
      the ProcessWire-login-page uses an inline-script in the head-tag (defining the variable "ProcessWire"), which Content Security Policy doesn’t allow. 
      Is there a way to fix this? Or does PW generally exclude CSP?
×
×
  • Create New...