Content-Security-Policy (CSP) with Joomla
I discovered, rediscovered, the CSP, following an SEO test on my web server, which informed me that I had not implemented the CSP.
So I set up a minimalist CSP, to answer the SEO error and test this implementation. Here is the example of the CSP.
I add this in my VHost :
Now, if this rule has been correctly applied, my slider no longer works, especially since it directly integrates scripts into JavaScript tags, in the body of Joomla.
I'm trying a workaround, and trying to activate JQuery in the module, and hoping it's loaded locally.
I see that the administrator interface of Joomla has failures, with this rudimentary CSP.
Joomla can not close the module.
If I use the navigation bar to go back to the root of the administrator (https://domain/administrator), and go back to the modules, the little padlocks are still active on the modules, and, I can not click on it to restore the standard state.
My question is :
I am looking for a CSP for Joomla, for a default site.
Here, it's not even so much the worry that I encounter with the slider that interests me, but, to find a valid CSP, for a default Joomla.
I do not know if the Joomla project has ever been able to write notes about it, but, I guess there is something like that, somewhere.
I looked for the key word CSP on the French forum of the AFUJ, I did not find anything, and, I posted this message also.
I understand that my request does not have to do with the core Joomla. On the other hand, it is necessary to be able to correctly configure the CSP of a server to make Joomla work by default.
I would like your advice, to correctly configure the CSP rules to run Joomla by default.
During my research, I found an automatic CSP generator, I will try to improve my existing rule.
Labels |
Added:
?
|
Does this mean that header configurations can be done since Joomla administration, with such a plugin?
As a result, server-side configurations are overwritten ?
Header set Content-Security-Policy "script-src 'self' https://www.domaine.fr"
Is not it better to do this setting on the server side, in the VirtualHost?
I do not know ...
Does this mean that header configurations can be done since Joomla administration, with such a plugin?
Yes.
As a result, server-side configurations are overwritten ?
As the plugin runs after the .htaccess files gets applyed the header get overwritten.
Is not it better to do this setting on the server side, in the VirtualHost?
It is better but most of the users don't know how to do (or can't do it at all) that but with that plugin it is possible and this also allows us to suggest values and give some more insights in the CMS UI.
Now, if this rule has been correctly applied, my slider no longer works, especially since it directly integrates scripts into JavaScript tags, in the body of Joomla.
You can use unsafe-inline
. And this is part of the problem that we can not apply the tools we have in 4.0 into 3.x with 4.0 the inline js at least from the core is going to be moved into files or at least have nonce support implemented.
Here, it's not even so much the worry that I encounter with the slider that interests me, but, to find a valid CSP, for a default Joomla.
Well we do it for the most of the *.joomla.org network websites already. An very basic version for 3.x would just mean something like this:
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' style-src 'self' `unsafe-inline`
And than you add your tracking tools, fonts, remote scripts etc.
For 4.x the plan is to have something like this (just for core):
Content-Security-Policy "default-src 'self'; script-src 'self' nonce-xxx;
where com_csp and the headers plugin help you to set the correct headers for your site.
And if I do not define this first rule that you propose?
During my tests, it seems that I had put it, then withdrawn, because, because of calls from my site, I had to remove the rule to no longer see alerts displayed in the browser.
I have kept the following rules :
Header set Content-Security-Policy "img-src *; object-src 'self' https://www.visionduweb.fr; media-src https://www.visionduweb.fr; frame-src *; connect-src 'self' *; report-uri https://www.visionduweb.fr"Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-02-18 21:28:45 |
Closed_By | ⇒ | Quy |
Closed_Date | 2019-02-18 21:28:45 | ⇒ | 2019-02-18 21:28:46 |
Closed_By | Quy | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/23392
Closing since it is not a Joomla core issue, but a setup/configuration issue that you can get further assistance at Joomla Forum.
Header set Content-Security-Policy "img-src *; object-src 'self' https://www.visionduweb.fr; media-src https://www.visionduweb.fr; frame-src *; connect-src 'self' *; report-uri https://www.visionduweb.fr"
Sorry I missed your answer. This rule above is not going to protect you against anything that CSP are build for in the first place. For this to happen you should atleast implement an script-src I would also suggest an default-src
During my tests, it seems that I had put it, then withdrawn, because, because of calls from my site, I had to remove the rule to no longer see alerts displayed in the browser.
You know the Report-Only mode right?
But I agree with @Quy that this kind of question is not intended to be discussed here.
For future reference here some documentations / tools:
https://csp.withgoogle.com/docs/index.html
https://csp-evaluator.withgoogle.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://wiki.mozilla.org/Security/CSP
This should help understanding how to use CSP and how to set it up as pointed out above the tools for Joomla exists in the plugin for Joomla 3.x mention above and with the code written for Joomla 4.x you can find in the 4.0-dev branch of this repo.
For Joomla 3: https://github.com/zero-24/plg_system_httpheader/releases
Joomla 4 will have csp tools/extensions bundled in core.