Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#23392] - Content-Security-Policy (CSP) with Joomla

?
avatar ZerooCool
ZerooCool
30 Dec 2018

Content-Security-Policy (CSP) with Joomla

I discovered, rediscovered, the CSP, following an SEO test on my web server, which informed me that I had not implemented the CSP.
So I set up a minimalist CSP, to answer the SEO error and test this implementation. Here is the example of the CSP.
I add this in my VHost :

Header set Content-Security-Policy "script-src 'self' https: //www.***********.eu"

Now, if this rule has been correctly applied, my slider no longer works, especially since it directly integrates scripts into JavaScript tags, in the body of Joomla.

I'm trying a workaround, and trying to activate JQuery in the module, and hoping it's loaded locally.
I see that the administrator interface of Joomla has failures, with this rudimentary CSP.
Joomla can not close the module.

If I use the navigation bar to go back to the root of the administrator (https://domain/administrator), and go back to the modules, the little padlocks are still active on the modules, and, I can not click on it to restore the standard state.

My question is :

I am looking for a CSP for Joomla, for a default site.
Here, it's not even so much the worry that I encounter with the slider that interests me, but, to find a valid CSP, for a default Joomla.

I do not know if the Joomla project has ever been able to write notes about it, but, I guess there is something like that, somewhere.

I looked for the key word CSP on the French forum of the AFUJ, I did not find anything, and, I posted this message also.

I understand that my request does not have to do with the core Joomla. On the other hand, it is necessary to be able to correctly configure the CSP of a server to make Joomla work by default.

I would like your advice, to correctly configure the CSP rules to run Joomla by default.

During my research, I found an automatic CSP generator, I will try to improve my existing rule.

avatar ZerooCool ZerooCool - open - 30 Dec 2018
avatar joomla-cms-bot joomla-cms-bot - change - 30 Dec 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 30 Dec 2018
avatar GHSVS-de
GHSVS-de - comment - 30 Dec 2018

For Joomla 3: https://github.com/zero-24/plg_system_httpheader/releases

Joomla 4 will have csp tools/extensions bundled in core.

avatar ZerooCool
ZerooCool - comment - 30 Dec 2018

Does this mean that header configurations can be done since Joomla administration, with such a plugin?

As a result, server-side configurations are overwritten ?

Header set Content-Security-Policy "script-src 'self' https://www.domaine.fr"

Is not it better to do this setting on the server side, in the VirtualHost?
I do not know ...

avatar zero-24
zero-24 - comment - 30 Dec 2018

Does this mean that header configurations can be done since Joomla administration, with such a plugin?

Yes.

As a result, server-side configurations are overwritten ?

As the plugin runs after the .htaccess files gets applyed the header get overwritten.

Is not it better to do this setting on the server side, in the VirtualHost?

It is better but most of the users don't know how to do (or can't do it at all) that but with that plugin it is possible and this also allows us to suggest values and give some more insights in the CMS UI.

Now, if this rule has been correctly applied, my slider no longer works, especially since it directly integrates scripts into JavaScript tags, in the body of Joomla.

You can use unsafe-inline. And this is part of the problem that we can not apply the tools we have in 4.0 into 3.x with 4.0 the inline js at least from the core is going to be moved into files or at least have nonce support implemented.

Here, it's not even so much the worry that I encounter with the slider that interests me, but, to find a valid CSP, for a default Joomla.

Well we do it for the most of the *.joomla.org network websites already. An very basic version for 3.x would just mean something like this:

Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' style-src 'self' `unsafe-inline`

And than you add your tracking tools, fonts, remote scripts etc.

For 4.x the plan is to have something like this (just for core):

Content-Security-Policy "default-src 'self'; script-src 'self' nonce-xxx;

where com_csp and the headers plugin help you to set the correct headers for your site.

avatar ZerooCool
ZerooCool - comment - 24 Jan 2019

And if I do not define this first rule that you propose?
During my tests, it seems that I had put it, then withdrawn, because, because of calls from my site, I had to remove the rule to no longer see alerts displayed in the browser.

I have kept the following rules :

Header set Content-Security-Policy "img-src *; object-src 'self' https://www.visionduweb.fr; media-src https://www.visionduweb.fr; frame-src *; connect-src 'self' *; report-uri https://www.visionduweb.fr"
avatar Quy Quy - change - 18 Feb 2019
Status New Closed
Closed_Date 0000-00-00 00:00:00 2019-02-18 21:28:45
Closed_By Quy
avatar joomla-cms-bot joomla-cms-bot - change - 18 Feb 2019
Closed_Date 2019-02-18 21:28:45 2019-02-18 21:28:46
Closed_By Quy joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 18 Feb 2019
avatar joomla-cms-bot
joomla-cms-bot - comment - 18 Feb 2019

Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/23392

avatar Quy
Quy - comment - 18 Feb 2019

Closing since it is not a Joomla core issue, but a setup/configuration issue that you can get further assistance at Joomla Forum.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23392.

avatar zero-24
zero-24 - comment - 18 Feb 2019

Header set Content-Security-Policy "img-src *; object-src 'self' https://www.visionduweb.fr; media-src https://www.visionduweb.fr; frame-src *; connect-src 'self' *; report-uri https://www.visionduweb.fr"

Sorry I missed your answer. This rule above is not going to protect you against anything that CSP are build for in the first place. For this to happen you should atleast implement an script-src I would also suggest an default-src

During my tests, it seems that I had put it, then withdrawn, because, because of calls from my site, I had to remove the rule to no longer see alerts displayed in the browser.

You know the Report-Only mode right?

But I agree with @Quy that this kind of question is not intended to be discussed here.

For future reference here some documentations / tools:
https://csp.withgoogle.com/docs/index.html
https://csp-evaluator.withgoogle.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://wiki.mozilla.org/Security/CSP

This should help understanding how to use CSP and how to set it up as pointed out above the tools for Joomla exists in the plugin for Joomla 3.x mention above and with the code written for Joomla 4.x you can find in the 4.0-dev branch of this repo.

Add a Comment

Login with GitHub to post a comment