Compatibility with CSP (Content Security Policy)?

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
dbj
Registered User
Posts: 12
Joined: Mon Oct 09, 2017 10:08 am

Compatibility with CSP (Content Security Policy)?

Post by dbj » Fri Nov 17, 2017 1:18 pm

Hi everyone,

is phpBB 3.2 ready to be used with CSP-Headers? I.e. no inline Javascript and no inline styles.
If I could enable CSP for phpBB, that would be a great for added security (prevent XSS).

Thanks

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18124
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Compatibility with CSP (Content Security Policy)?

Post by Mick » Fri Nov 17, 2017 1:27 pm

A vanilla install of phpBB has no known vulnerabilities, this is checked by an external security audit for each version.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

dbj
Registered User
Posts: 12
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj » Fri Nov 17, 2017 1:33 pm

Thanks for replying, but unfortunately it does not answer my question.
An audit does not mean a piece of software is secure, it just means the probably of a security problem is lower.

(CSP is "proactive" security, if that wording sounds better - it protects against UNKOWN vulnerabilities)

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18124
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Compatibility with CSP (Content Security Policy)?

Post by Mick » Fri Nov 17, 2017 1:49 pm

dbj wrote:
Fri Nov 17, 2017 1:33 pm
it protects against UNKOWN vulnerabilities
Really? I’ve just had a search on here and found only one topic, with no replies. I take it from that there isn’t much activity on the subject, I’ll make the devs aware of your question.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

dbj
Registered User
Posts: 12
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj » Fri Nov 17, 2017 1:54 pm

Here is a good read about CSP: https://blog.twitter.com/engineering/en ... urity.html

Almost all large websites are using CSP - the security gain is really worth it.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 47990
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by stevemaury » Fri Nov 17, 2017 4:34 pm

Do a test installation and try it.
For REALLY good and VERY inexpensive hosting CLICK HERE

All unsolicited PMs will be ignored.

Sunner
Registered User
Posts: 4
Joined: Mon May 05, 2003 9:04 am

Re: Compatibility with CSP (Content Security Policy)?

Post by Sunner » Tue Dec 05, 2017 7:44 am

dbj wrote:
Fri Nov 17, 2017 1:18 pm
Hi everyone,

is phpBB 3.2 ready to be used with CSP-Headers? I.e. no inline Javascript and no inline styles.
If I could enable CSP for phpBB, that would be a great for added security (prevent XSS).

Thanks
Hello,

A slightly late reply but maybe someone else will google their way here like I did. I went ahead and just tested it on a brand new forum running phpBB 3.2.1, and phpBB breaks in quite a few places. I didn't do an extensive search since it was obvious by just looking at the members list for example, and looking at the source makes this unsurprising.

User avatar
canonknipser
Registered User
Posts: 1186
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by canonknipser » Tue Dec 05, 2017 8:10 am

Sunner wrote:
Tue Dec 05, 2017 7:44 am
phpBB breaks in quite a few places
If you think there are issues in the phpBB3-core, feel free to open a bug report in the tracker and contribute to the code by pull requests
Greetings
Frank
phpbb.de support team member
English is not my native language
New arrival - Extensions and scripts for phpBB
no support via PM or mail

User avatar
AmigoJack
Registered User
Posts: 4999
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by AmigoJack » Tue Dec 05, 2017 8:58 am

dbj wrote:
Fri Nov 17, 2017 1:18 pm
no inline Javascript and no inline styles
CSP even comes up with directives to allow that.

dbj wrote:
Fri Nov 17, 2017 1:18 pm
If I could enable CSP for phpBB, that would be a great for added security (prevent XSS)
phpBB alone can't do that for you - you have to know yourself how to set i.e. img-src.

Sunner wrote:
Tue Dec 05, 2017 7:44 am
just looking at the members list
Yes, since 3.1 phpBB also uses external resources (like //ajax.googleapis.com and //maxcdn.bootstrapcdn.com) and everybody should be aware of this questionable approach.

canonknipser wrote:
Tue Dec 05, 2017 8:10 am
open a bug report in the tracker and contribute to the code by pull requests
May I add: the "and" is the most important word here, as creating a bug ticket alone is not enough for most developers, regardless of the amount of details - if you don't come up with a GIT pull request consider it a waste of time and effort.
The worst thing about censorship is ███████████

dbj
Registered User
Posts: 12
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj » Tue Dec 05, 2017 9:24 am

AmigoJack wrote:
Tue Dec 05, 2017 8:58 am
dbj wrote:
Fri Nov 17, 2017 1:18 pm
no inline Javascript and no inline styles
CSP even comes up with directives to allow that.
Yes, but inline js/styles by using nonces or hashes is an extension of CSP (version 2 or even 3), which is not supported by all browsers, whereas CSP version 1 is supported even by MSIE 11.

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: hewmac06, PELP and 147 guests

cron