Compatibility with CSP (Content Security Policy)?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Ideas Centre
User avatar
dbj
Registered User
Posts: 69
Joined: Mon Oct 09, 2017 10:08 am

Compatibility with CSP (Content Security Policy)?

Post by dbj »

Hi everyone,

is phpBB 3.2 ready to be used with CSP-Headers? I.e. no inline Javascript and no inline styles.
If I could enable CSP for phpBB, that would be a great for added security (prevent XSS).

Thanks
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26505
Joined: Fri Aug 29, 2008 9:49 am

Re: Compatibility with CSP (Content Security Policy)?

Post by Mick »

A vanilla install of phpBB has no known vulnerabilities, this is checked by an external security audit for each version.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
dbj
Registered User
Posts: 69
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj »

Thanks for replying, but unfortunately it does not answer my question.
An audit does not mean a piece of software is secure, it just means the probably of a security problem is lower.

(CSP is "proactive" security, if that wording sounds better - it protects against UNKOWN vulnerabilities)
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26505
Joined: Fri Aug 29, 2008 9:49 am

Re: Compatibility with CSP (Content Security Policy)?

Post by Mick »

dbj wrote: Fri Nov 17, 2017 1:33 pmit protects against UNKOWN vulnerabilities
Really? I’ve just had a search on here and found only one topic, with no replies. I take it from that there isn’t much activity on the subject, I’ll make the devs aware of your question.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
dbj
Registered User
Posts: 69
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj »

Here is a good read about CSP: https://blog.twitter.com/engineering/en ... urity.html

Almost all large websites are using CSP - the security gain is really worth it.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52768
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by stevemaury »

Do a test installation and try it.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
Sunner
Registered User
Posts: 4
Joined: Mon May 05, 2003 9:04 am

Re: Compatibility with CSP (Content Security Policy)?

Post by Sunner »

dbj wrote: Fri Nov 17, 2017 1:18 pm Hi everyone,

is phpBB 3.2 ready to be used with CSP-Headers? I.e. no inline Javascript and no inline styles.
If I could enable CSP for phpBB, that would be a great for added security (prevent XSS).

Thanks
Hello,

A slightly late reply but maybe someone else will google their way here like I did. I went ahead and just tested it on a brand new forum running phpBB 3.2.1, and phpBB breaks in quite a few places. I didn't do an extensive search since it was obvious by just looking at the members list for example, and looking at the source makes this unsurprising.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by canonknipser »

Sunner wrote: Tue Dec 05, 2017 7:44 am phpBB breaks in quite a few places
If you think there are issues in the phpBB3-core, feel free to open a bug report in the tracker and contribute to the code by pull requests
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by AmigoJack »

dbj wrote: Fri Nov 17, 2017 1:18 pmno inline Javascript and no inline styles
CSP even comes up with directives to allow that.

dbj wrote: Fri Nov 17, 2017 1:18 pmIf I could enable CSP for phpBB, that would be a great for added security (prevent XSS)
phpBB alone can't do that for you - you have to know yourself how to set i.e. img-src.

Sunner wrote: Tue Dec 05, 2017 7:44 amjust looking at the members list
Yes, since 3.1 phpBB also uses external resources (like //ajax.googleapis.com and //maxcdn.bootstrapcdn.com) and everybody should be aware of this questionable approach.

canonknipser wrote: Tue Dec 05, 2017 8:10 amopen a bug report in the tracker and contribute to the code by pull requests
May I add: the "and" is the most important word here, as creating a bug ticket alone is not enough for most developers, regardless of the amount of details - if you don't come up with a GIT pull request consider it a waste of time and effort.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
dbj
Registered User
Posts: 69
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj »

AmigoJack wrote: Tue Dec 05, 2017 8:58 am
dbj wrote: Fri Nov 17, 2017 1:18 pmno inline Javascript and no inline styles
CSP even comes up with directives to allow that.
Yes, but inline js/styles by using nonces or hashes is an extension of CSP (version 2 or even 3), which is not supported by all browsers, whereas CSP version 1 is supported even by MSIE 11.
Rogerjwilkinson
Registered User
Posts: 33
Joined: Wed Jan 17, 2018 2:42 pm

Re: Compatibility with CSP (Content Security Policy)?

Post by Rogerjwilkinson »

I'm going to revive this thread if that's okay. And also link to this one from earlier in 2017 viewtopic.php?p=14650146


Both are a little unclear as to what PHPBB's stance is here. I've recently come across this dilemma myself. As it currently stands, ALL major security/webmaster/whathaveyou tools and resources STRONGLY recommend to implement an appropriate CSP, and all come with a particularly major warning: If you allow inline-scripts in your CSP, you're disregarding the number one biggest point and advantage to a CSP... I really wish I'd known about this BEFORE building 100% around phpBB (that's my bad, I'm learning as I go), but since we're here, I'd like to work out a solution.

I'm a noob through and trhough. I had a quick glance to see if it would be feasible to move every bit of inline code to external code and tbh I don't even know that it is? A vanilla install of phpBB shows over 100 (!) example of inline-scripts, and almost 10x that in inline-styling (an entirely different matter).

Is there a "proposed solution" here? Am I supposed to "nonce" or "hash" every single last one of those inline-scripts to make this work? And will this even solve the issue entirely - As I understand it right, you have to also completely remove all inline event handlers for hashes to work, which requires actual code-rewriting not just copy and paste to external js files?

I've read that phpBB is safe from a vanilla installation, can somebody please elaborate just a little on this? I'd love to understand more here, is the CSP little exaggerated and phpBB is in fact safe despite it ignoring the CSP advice? Or is it a little more complicated than that? As it stands, with a correct and recommended CSP (not allowing inline-scripts), vanilla phpBB does not function correctly (at first glance, bbcodes break, most all UCP/MCP/ACP functions break and supposedly database backups break) even if phpBB was the ONLY thing installed on my server. That seems to be at odds with each other?

Thanks for your time.
User avatar
JoshyPHP
Code Contributor
Posts: 1288
Joined: Mon Jul 11, 2011 12:28 am

Re: Compatibility with CSP (Content Security Policy)?

Post by JoshyPHP »

I've used phpBB with JavaScript off for a little while and apart from the editor, everything worked fine.
I wrote the library that handles markup in phpBB 3.2+.
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Compatibility with CSP (Content Security Policy)?

Post by Lumpy Burgertushie »

and, in all this time since phpbb 3 came out, as far as I have heard , there has been no successful hacks of a default install of phpbb3

makes you go hhhhmmmmmmm.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
dbj
Registered User
Posts: 69
Joined: Mon Oct 09, 2017 10:08 am

Re: Compatibility with CSP (Content Security Policy)?

Post by dbj »

Lumpy Burgertushie wrote: Fri Feb 02, 2018 5:53 amand, in all this time since phpbb 3 came out, as far as I have heard , there has been no successful hacks of a default install of phpbb3
This has nothing to do with the topic. CSP is not a replacement for any security measures and CSP cannot be replaced by other security measures. If you don't know what CSP does, pleas look it up.
Rogerjwilkinson
Registered User
Posts: 33
Joined: Wed Jan 17, 2018 2:42 pm

Re: Compatibility with CSP (Content Security Policy)?

Post by Rogerjwilkinson »

dbj wrote: Fri Feb 02, 2018 1:43 pm
Lumpy Burgertushie wrote: Fri Feb 02, 2018 5:53 amand, in all this time since phpbb 3 came out, as far as I have heard , there has been no successful hacks of a default install of phpbb3
This has nothing to do with the topic. CSP is not a replacement for any security measures and CSP cannot be replaced by other security measures. If you don't know what CSP does, pleas look it up.
^ This. Security audits do not mean phpBB is safe full-stop, end of story. They are AWESOME, and it's AWESOME that phpBB takes it this seriously, but all a security audit means is it's safe to attacks the auditing company knew of and tested for at that time. It should go without saying that it's literally impossible for a company to audit against vulnerabilities that unknown at the time, and the CSP is a prevenative measure to potential future vulnerabilities. One does not negate the other, they are two completely seperate tools and method that simply happen to share a similar end-goal - Keep your website safe.

As we've all heard - the best treatment is good prevention. This is the power of the CSP, as I currently understand it.

Just out of curiosity actually: Did the auditing company make the issue of inline-scripts aware to the team with the audit? It seems like that is something that should've come up from their end.
JoshyPHP wrote: Fri Feb 02, 2018 3:32 am I've used phpBB with JavaScript off for a little while and apart from the editor, everything worked fine.
That's remarkable then. Zero modifications to the code on your end? Users frequently using your forum? This is NOT consistent with my experiences, all other reports so far, or the code itself. As I said, almost all control panel features go to sugar, along with just about anything else javascript related (quick replies), and database backups. You can easily download notepad++, do a bulk search for the keyword "<script" and immediately see what will or will not work - As you can see, your statement just isn't consistent with the code. :lol:


I've spent a lot of time combing over it now and unfortunately it's an issue that needs to be an addressed on a development level. As I said, you can not unfortunately just move all the <script> tags to an external script, point ot them, and voila. All the inline event handlers need to be rewritten to functions and called from external js as well - "onclick="jumpto(); return false;" - just as a random example, a CSP disallowing inline-scripts will not allow this even with all <script> tags moved externally.

I'm just wondering if it's on the development radar at all, and perhaps something we can look forward to in nearby release, or if webmasters concerned about this issue should start the grueling process of doing this manually now?

phpBB being an open source project I would of course be willing to "do my part", as it were - I can certainly, if nothing else, move all the <script> tags externally and update the vanilla install for this - but the event handlers may need someone that actually knows what they're doing. And it creates other issues as well - Do extension developers then have to do the same as well? Do all extensions that don't fall in line get marked "NOT SAFE" or something to that effect? I know it's a messy one but it is what it is.

Look forward to a response.
Last edited by Rogerjwilkinson on Sun Feb 11, 2018 2:33 am, edited 1 time in total.
Post Reply

Return to “phpBB Discussion”