Allow using Content-Security-Policy without unsafe-inline

https://www.phpbb.com/ideas/
Post Reply
Author:
Heo32
Posted:
Fri Sep 14, 2018 7:04 am
Rating:
Status:
New
Ideas Bot
Registered User
Posts: 433
Joined: Sat Oct 13, 2012 10:06 am

Allow using Content-Security-Policy without unsafe-inline

Post by Ideas Bot » Fri Sep 14, 2018 7:04 am

This is a copy and paste report that I had submitted to the security tracker here. Derky closed it as an invalid security issue and suggested that I post my findings here.


This post is in relation to the following issue #39941 listed (and approved) for the upcoming WordPress 5.0 release:

https://core.trac.wordpress.org/ticket/39941

It also applies to phpBB as well. Please consider a similar fix as the one in the link above.



Situation:

Using an nginx.conf file, adding the following prevents XSS attacks:

add_header Content-Security-Policy "script-src 'self'";

But that also causes an issue with one being the inability to create database backups in the ACP. The only way to get around this is to add the following code, which allows XSS attacks to occur on a site:

add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";



I will use https://securityheaders.com/ as a reference point to show why. When a website is found to use 'unsafe-inline' in the Content-Security-Policy, specifically for the "script-src", this is the message it returns:

This policy contains 'unsafe-inline' which is dangerous in the script-src directive.

When 'unsafe-eval' is used, it returns the following:

This policy contains 'unsafe-eval' which is dangerous in the script-src directive.

When 'unsafe-inline' and 'unsafe-eval' are both used, it returns the following:

This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive.



Conclusion:

I would like to remove 'unsafe-inline' from my script-src but can't at the moment without losing the ability to make database backups in the ACP. Removing it may cause other issues as well, but I haven't found anything else yet. If a similar plugin or modification similar to the one being proposed on WordPress's website (link at top) were to be used in phpBB, everyone would be able to remove 'unsafe-inline', thus protecting their sites (and forums) from XSS attacks.

User avatar
Derky
Development Team Member
Development Team Member
Posts: 4797
Joined: Sun Apr 10, 2005 9:58 am
Location: Netherlands
Contact:

Re: Allow using Content-Security-Policy without unsafe-inline

Post by Derky » Sun Sep 16, 2018 3:36 pm

That's correct, it's not a security issue that needs direct fixing, it's a feature request to allow further hardening with strict CSP.

We currently use inline JavaScript on a lot more places than just the database backup. We also use it for the BBcode buttons in the posting editor, searching users in the ACP and for marking multiple checkboxes as checked. (search for "onclick=" in the code base)

Required changes to support strict CSP:
  • Move all JavaScript from inline event handlers such as onclick= and onerror= and <a href="javascript: links to separate files with event listeners, e.g. $("#button").click(function() { ... } );.
  • Move JavaScript code from inline <script></script> blocks to separate files or add a nonce.
  • Add a nonce to all <script> elements.

User avatar
JoshyPHP
Code Contributor
Posts: 949
Joined: Mon Jul 11, 2011 12:28 am

Re: Allow using Content-Security-Policy without unsafe-inline

Post by JoshyPHP » Mon Sep 17, 2018 10:40 pm

It would make things like spoiler BBCodes and embedding tweets much harder.

There's not going to be any browser support for whitelisting inline attributes for a long time. https://docs.google.com/document/d/1_nY ... qWlTAHst7c
I wrote the thing that does BBCodes in 3.2.

User avatar
AmigoJack
Registered User
Posts: 5324
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Allow using Content-Security-Policy without unsafe-inline

Post by AmigoJack » Fri Sep 21, 2018 7:29 am

Heo32 wrote:Using an nginx.conf file, adding the following prevents XSS attacks:

add_header Content-Security-Policy "script-src 'self'";
That alone will also stop displaying media resources hosted elsewhere: if someone embeds picture links from i.e. Imagebam or a video from YouTube you'd need to add more parameters to (re)allow them (i.e. img-src and media-src).
The worst thing about censorship is ███████████

Post Reply

Return to “phpBB Ideas”

Who is online

Users browsing this forum: No registered users and 4 guests