[#25714] - [4.0] [com_csp] [plg_system_httpheaders] Implement a hashbased whitelist for com_csp / plg_http_httpheaders
- Fixed in Code Base
- 13 Sep 2019
- Medium
- Build: 4.0-dev
- # 25714
- Diff
- zero-24:hash_based_csp
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Summary of Changes
Implement a hashbased whitelist for com_csp / plg_http_httpheaders as requested by @SniperSister
Testing Instructions
- apply this patch
- System -> Manage -> Content Security Policy -> Options
- Enable the detect mode.
- navigate the frontend and backend
- System -> Manage -> Content Security Policy
- publish all rules
- System -> Manage -> Content Security Policy -> Options
- change the mode to "Automatic"
- check the header set by the app using the browser console network tab (hint check the first request you can see for the header)
- System -> Manage -> Content Security Policy -> Options
- enable the new script hashes and style hashes option
- check the header again.
Expected result
New options for script and style hashes implemented
Actual result
No options for script and style hashes implemented
Documentation Changes Required
This needs to be documented.
Known limitation
Please note that this here is indeed feature complete in order to work out of the box any inline style / script needs to be converted to a script running from a file. This is not the case with at least the current backend template so there are still some errors in the console but 90% of the features still work the other just needs to be moved to pass the required inline scripts via the joomla api. This is also true for any other template or extension.
Open points
-[ ] en-GB review of the new language strings
@brianteeman can you please take a look into the new language strings whether they makes sense or can be improved? Thanks.
Acknowledgements
Thanks @SniperSister for suggesting the implementation of hashbased whitelists in order to overcome the limitations of the nonce and the usage of unsafe-inline.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_csp Language & Strings Front End Plugins |
At least according to the linked source https://scotthelme.co.uk/content-security-policy-an-introduction/#hash then thats not how it is supposed to work
Surely it only "ignores" it if the hashes are checked and found to be correct
the browser will hash any inline JS or CSS and see if the digest matches a value found in the header. If it does, the content is safe for use.
The contents of any <script> tags on the page would then be hashed and compared to the value found in the CSP header. If the values matched, the script would be allowed to execute.
| Labels |
Added:
?
?
?
|
||
Is that really an accurate description
Can you please suggest an alternative description?
It depends if it does what you wrote or it does what Scott says you should do
hmm my text is based on the chrome error message:
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'self' 'unsafe-inline' 'sha256-tbnnT/BTiNbMb7tp2DUzXvspk56uv/T7ZMNODFB3MMo=' 'unsafe-inline'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
And in chrome and FF this also works just that way, that is what i can tell.
Thanks for the feedback it is implemented now.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-09-13 12:08:35 |
| Closed_By | ⇒ | wilsonge |
Thanks!
Is that really an accurate description