MarkupContentSecurityPolicy

[nbcommunication]

Wondering how to get that A+ rating on Mozilla Observatory? Now you can with ⭐⭐⭐MarkupContentSecurityPolicy⭐⭐⭐

Of course, MarkupContentSecurityPolicy does not guarantee an A+ rating, but it does help you implement a Content Security Policy for your ProcessWire website.

Markup Content Security Policy

Configure and implement a Content Security Policy for all front-end HTML pages.

This module should only be used in production once it has been fully tested in development. Implementing a Content Security Policy on a site without testing will almost certainly break something!

Overview

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

... Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. For example, a page that uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint. A properly designed Content Security Policy helps protect a page against a cross site scripting attack.

— https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Website Security Auditing Tools such as Mozilla Observatory will only return a high score if a Content Security Policy is implemented. It is therefore desirable to implement one.

A common way of adding the Content-Security-Policy header would be to add it to the .htaccess file in the site's root directory. However, this means the policy would also cover the ProcessWire admin, and this limits the level of security policy you can add.

The solution is to use the <meta> element to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">. MarkupContentSecurityPolicy places this element with your configured policy at the beginning of the <head> element on each HTML page of your site.

There are some limitations to using the <meta> element:

• Not all directives are allowed. These include frame-ancestors, report-uri, and sandbox.
• The Content-Security-Policy-Report-Only header is not supported, so is not available for use by this module.

Configuration

To configure this module, go to Modules > Configure > MarkupContentSecurityPolicy.

Directives

The most commonly used directives are listed, with a field for each. The placeholder values given are examples, not suggestions, but they may provide a useful starting point.

You will almost certainly need to use 'unsafe-inline' in the style-src directive as this is required by some modules (e.g. TextformatterVideoEmbed) or frameworks such as UIkit.

Should you wish to add any other directives not listed, you can do so by adding them in Any other directives.

Please refer to these links for more information on how to configure your policy:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
• https://scotthelme.co.uk/content-security-policy-an-introduction/
• https://developers.google.com/web/fundamentals/security/csp/

Violation Reporting

Because the report-uri directive is not available, when Violation Reporting is enabled a script is added to the <head>which listens for a SecurityPolicyViolationEvent. This script is based on https://developer.mozilla.org/en-US/docs/Web/API/SecurityPolicyViolationEvent and POSTs the generated report to ?csp-violations=1. The module then logs the violation report to csp-violations.

Unfortunately, most of the violations that are reported are false positives, and not actual attempts to violate the policy. These are most likely from browser extensions and are not easy to determine and filter.

For this reason, there is no option for the report to be emailed when a policy is violated. Instead, you can specify an endpoint for the report to be sent to. This allows you to handle additional reporting in a way that meets your needs. For example, you may want to log all reports in a central location and send out an email once a day to an administrator notifying them of all sites with violations since the last email.

Retrieving the Report

To retrieve the report at your endpoint, the following can be used:

$report = file_get_contents("php://input");
if(!empty($report)) {
	$report = json_decode($report, 1);
	if(isset($report) && is_array($report) && isset($report["documentURI"])) {
		// Do something
	}
}

Debug Mode

When this is enabled, a range of information is logged to markup-content-security-policy. This is probably most useful when debugging a reporting endpoint.

Additional .htaccess Rules

To get an A+ score on Mozilla Observatory, besides using HTTPS and enabling the HSTS header, you can also place the following prior to ProcessWire's htaccess directives:

Header set Content-Security-Policy "frame-ancestors 'self'"
Header set Referrer-Policy "no-referrer-when-downgrade"

Installation

1. Download the zip file at Github or clone the repo into your site/modules directory.
2. If you downloaded the zip file, extract it in your sites/modules directory.
3. In your admin, go to Modules > Refresh, then Modules > New, then click on the Install button for this module.

ProcessWire >= 3.0.123 is required to use this module.

[netcarver]

Fantastic timing - just about to look into this myself for a site. Thank you!

[nbcommunication]

27 minutes ago, netcarver said:

Fantastic timing - just about to look into this myself for a site. Thank you!

Please let me know how you find it - this module is really just a result of looking into it the past two weeks to try and get an A+ on Mozilla Observatory (did it! ?) so I'd really appreciate any feedback!

[nbcommunication]

Update to 0.0.2

• Deploy mode (only enable for superuser when off)
• Define params to exclude from reporting (e.g. originalPolicy)
• Filtering of selected false positive patterns
• Improvements to HTML page check

[nbcommunication]

Hello,

I thought it might be useful to post a CSP I've recently deployed using this module. Every site is different - there's no prescriptive policy and that's the main caveat here.

This is for a site with an embedded Shopify store, an Issuu embed, a Google Tour embed and Google Maps implementation (JS API). It also uses Font Awesome 5 from their CDN, jQuery from CDNJS, and some Google Fonts. It also has TextformatterVideoEmbed installed alongside its extended options module.

default-src 'none'; 
script-src 'self' cdnjs.cloudflare.com *.google.com *.gstatic.com *.googleapis.com www.google-analytics.com www.googletagmanager.com e.issuu.com sdks.shopifycdn.com; 
style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com *.googleapis.com use.fontawesome.com; 
img-src 'self' data: *.google.com *.googleapis.com *.gstatic.com *.ggpht.com www.google-analytics.com www.googletagmanager.com brand.nbcommunication.com *.shopify.com sdks.shopifycdn.com; 
connect-src 'self' www.google-analytics.com ocean-kinetics.myshopify.com; 
font-src 'self' fonts.gstatic.com use.fontawesome.com; 
object-src 'self'; 
media-src 'self' data:; 
manifest-src 'self'; 
frame-src www.google.com www.youtube.com www.youtube-nocookie.com player.vimeo.com w.soundcloud.com e.issuu.com; 
form-action 'self'; 
base-uri 'self'

The Shopify embed script and Google Analytics initialisation have been moved into script files so there are no inline scripts at all. The script-src 'unsafe-inline' directive is an obstacle to getting that A+ on Observatory. 

Google Analytics is also a bit of an impediment to getting a top-drawer score, as its script doesn't use SRI. However, there is a reason for that as I understand it - it is a script that just loads other scripts so SRI implementation would just be token, it wouldn't actually be improving security. Still, it is possible to get A+ without dealing with this.

It would be great to get some discussion going on CSP implementation - I'm only a few weeks in myself, so have much to learn!

Cheers,

Chris
NB

 

[netcarver]

Hi Chris,

I had a chance to try this out today, and it's been pretty useful though I still have a lot to learn about CSPs. One quick observation is that it inserts at the start of the <head> block, before the charset and viewport meta tags. IIRC, the charset and viewport meta-tags are meant to be the first tags in the head block.

Will keep experimenting with the module.

[nbcommunication]

Hi @netcarver,

Thanks for the feedback - I'll have a look at this soon and see if I can get it placed better.

Cheers,

Chris

[horst]

36 minutes ago, nbcommunication said:

Thanks for the feedback - I'll have a look at this soon and see if I can get it placed better.

Hi and thanks for this useful module. I added to my list of things I need to explore soon. ;-)

A common usage for modules that need to inject content in the head or body output of pages, is to optionally serve a manual way per API call besides the automatic way. 

[nbcommunication]

@netcarver- I've got it automatically placed after the <title> element now, if that element exists (which it should!). 

@horst - I've added a renderMeta method to allow for manual outputting of the meta tag in the <head>. If this is used, it shouldn't output automatically.

[nbcommunication]

Updated to 1.0.1 (Stable), mainly reducing hook priority < 200 so it runs before ProCache.

 

[froot]

when I install this module, it messes up my <head> tag big time. The tags get added INSIDE the <title></title> tag (!)

see for yourself:

view-source:https://foobar.roofaccess.org/contact/

thoughts?

[nbcommunication]

Hi @fruid,

I've never seen an id attribute on the <title> tag before!

Can you please edit line 258 of MarkupContentSecurityPolicy.module to remove the '>'?

<?php
// Line 258
$node = '<title';

I think that'll fix it. If so I'll push that change to the repo.

Cheers,

Chris

[froot]

done and done, thanks

[nbcommunication]

Excellent, thanks @fruid,

That's the change pushed to the repo as v 1.0.8.

Cheers,

Chris

[nbcommunication]

I've released version 1.1.2 today:

• Javascript file now a minified UMD module
• Only unique reports from users are now logged to prevent excessive duplication in the log file. This is done using localStorage.

Cheers,

Chris

[nbcommunication]

Hello,

I'll not be actively maintaining this module going forward as we are no longer using it, instead implementing a CSP via a Header set in .htaccess. This is preferable for many reasons, and I expect that at some point in the future a CSP set in a <meta> tag, while still valid, will be penalised in audit tools.

On 7/17/2019 at 1:30 PM, nbcommunication said:

A common way of adding the Content-Security-Policy header would be to add it to the .htaccess file in the site's root directory. However, this means the policy would also cover the ProcessWire admin, and this limits the level of security policy you can add.

After a bit of trial and error I discovered the solution to setting a CSP in .htaccess, without it affecting the admin:

<IfModule mod_headers.c>

  # If not the PW admin
  <If "! %{QUERY_STRING} =~ /youradminurl/">
  	# Content Security Policy
    Header set Content-Security-Policy "default-src 'self'"
  </If>

</IfModule>

The If conditionals are a feature of Apache 2.4 which I'd assume most are using. I believe there are other approaches to conditionals for 2.2.

For reporting, we're going to be using report-uri.com.

In conclusion, the snippet in .htaccess looks something like this:

<IfModule mod_headers.c>

  # If not the PW admin
  <If "! %{QUERY_STRING} =~ /adminurl/">
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header set Report-To "{\"group\":\"default\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https://accountname.report-uri.com/a/d/g\"}],\"include_subdomains\":true}"
    Header set Content-Security-Policy "default-src 'self'; ... base-uri 'self'; frame-ancestors 'self'; report-to default; report-uri https://accountname.report-uri.com/r/d/csp/enforce"
  </If>

</IfModule>

More information on report-uri/report-to here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri

If anyone wishes to take on responsibility for this module, please let me know here. I would recommend however that you look at using the .htaccess implementation outlined above.

Cheers,

Chris