Skip to content

Send a configurable CSP in every HTML response #9665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3,894 commits into
base: master
Choose a base branch
from
Draft

Send a configurable CSP in every HTML response #9665

wants to merge 3,894 commits into from

Conversation

@pabzm
Copy link
Member

@pabzm pabzm commented Oct 7, 2024
edited
Loading

The CSP gets adapted to remote objects being allowed or not. It can be configured or disabled via the config option content_security_policy (and
content_security_policy_add_allow_remote).

The default is pretty weak in order to not introduce a breaking change, but still not useless (e.g. it adds another layer of defence against loading remote objects unless allowed.)

Closes #9638

alecpl and others added 30 commits April 21, 2024 11:33
@alecpl
Get rid of phpstan/phpstan-strict-rules
28c1ecd
@mvorisek
Infer file/line location in rcube::raise_error() from backtrace (roun…
db586b6 
…dcube#9422)

* \n\s+'file' => __FILE__,

* \n\s+'line' => __LINE__,

* 'line' => __LINE__, 'file' => __FILE__,

* 'file' => __FILE__, 'line' => __LINE__,

* rest

* more

* improve cs

* more cs

* revert rcube_utils::preg_error changes

* impl file/line from backtrace

* Revert "revert rcube_utils::preg_error changes"
@EdouardVanbelle
oauth: select auth scheme (XOAUTH2 vs OAUTHBEARER) (roundcube#9289)
c6ae485
@alecpl
Password: Use Guzzle HTTP Client in 'directadmin' driver
1e0208d
@alecpl
Password: Use Guzzle HTTP Client in the plesk driver
cea7706
@alecpl
Password: Use Guzzle HTTP Client in the modoboa driver
7a5a10a
@alecpl
Password: Use Guzzle HTTP Client in the domainfactory driver
d401749
@alecpl
Password: Use Guzzle HTTP Client in the cpanel driver
a01bea0
@alecpl
Doc cleanup [skip ci]
d2d7829
@svalo
Documents redis as supported imap_cache (roundcube#9428)
ee86fab 
As stated in roundcube#5574 (comment) redis is supported, adding it to supported backed

[skip ci]
@alecpl
Fix PHP8 warning (roundcube#9429)
2b0a906
@pabzm
Fix Code Spell check by disabling String.raw rule
8c96185 
The eslint package "eslint-plugin-unicorn" introduced a new rule in
version 53.0.0 that suggests to use `String.raw` in order to avoid the
need for escaping backslashes.

While this certainly is a good idea we cannot follow that rule as long
as we support Internet Explorer 11+, which doesn't support template
literals (and thus `String.raw`).
@miaulalala
Merge pull request roundcube#9449 from pabzm/fix-cs-string-raw
e6f13fe 
Fix Code Spell check by disabling `String.raw` rule
@alecpl
Fix folders hierarchy when special folders are subfolders of INBOX, w…
579c567 
…ith no personal namespace prefix (roundcube#9452)
@alecpl
Wording improvement
a5b4734 
[skip ci]
@johndoh
Add skin info to about dialog (roundcube#9441)
1782d97
@alecpl
Update changelog
3d05b37 
[skip ci]
@alecpl
Cleanup raise_error() use in password drivers
0a0f301
@alecpl
Simplify use of rcube::raise_error()
78d57fa
@alecpl
Fix command injection via crafted im_convert_path/im_identify_path on…
7cf1b8e 
… Windows

Reported by Huy Nguyễn Phạm Nhật.
@alecpl
Fix cross-site scripting (XSS) vulnerability in handling list columns…
d2c8042 
… from user preferences

Reported by Huy Nguyễn Phạm Nhật.
@alecpl
Fix cross-site scripting (XSS) vulnerability in handling SVG animate …
a4e961c 
…attributes

Reported by Valentin T. and Lutz Wolf of CrowdStrike.
@alecpl
Update changelog
8cd3fb8 
[skip ci]
@gerbert
Add managesieve_host array handler (roundcube#9447)
3de6100
@alecpl
Update changelog
d4b83d7 
[skip ci]
@gerbert
Update .gitignore
257f575 
Added JetBrains PhpStorm project folder (.idea)
@pabzm
Merge pull request roundcube#9455 from gerbert/wip/update-gitignore
cb44284 
Update .gitignore
@DannyDaemonic
Fix notification focus on Chrome (roundcube#9467)
efb178a
@alecpl
Update changelog
794e474 
[skip ci]
@johndoh
Add skin_extends JS env var containing name(s) of base skins extended…
2ff5099 
… by current skin (roundcube#9440)
ShE3py and others added 20 commits January 26, 2025 14:57
@ShE3py
"Add field" widget: set width to fit-content (roundcube#9742)
359a039
@alecpl
Add notes about not all password strength drivers supporting score up…
63e4283 
… to 5 (roundcube#9751)
@pabzm
Send a configurable CSP in every HTML response
b9384af 
The CSP gets adapted to remote objects being allowed or not.
It can be configured or disabled via the config option
`content_security_policy` (and
`content_security_policy_add_allow_remote`).
@pabzm
Ensure proper semicolons between CSP-parts.
24aeec0
@pabzm
Also use default value in case of null
18f680d
@pabzm
Add unit-tests for adding CSP header
2421261
@pabzm
Add additional CSP header values only if present
511f09d 
If people write a lax default CSP they might set the additional config
option to the blank string, or false. Then the CSP header should not
contain that value.
@pabzm
Use invokeMethod instead of overriding it in a mock
4950108
@pabzm
Use hardcoded defaults for CSP options
b9b8744 
This way the code always has values it can work with, no matter how good
or broken the
configuration is.
@pabzm
Test to check if hardcoded option values match defaults
127dec5
@pabzm
Improve readability of CSP value checks
1beafa5 
Previously the code also treated `'false'` (the string) as invalid, but
that's a very specific check against a specific edge case, which
wouldn't even break the code (but will only make the browser complain),
so I'm dropping that check.
@pabzm
Fix static analysis.
3e7b9f6
@pabzm
Fix CSP option type handling
262d75c 
The config value might be something else than a string.
@pabzm
Make CSP header building more robust.
f37a279 
In the previous way useless semicolons could have happened.
@pabzm
Remove type annotation because PHP v7
66ab9ae 
We still support PHP v7, which doesn't support union types.
@pabzm
Mitigate erronous complaint of phpstan
47d36a0 
phpstan complains that `assertIsArray($config)` will always fail because
it doesn't know about the side effects of `require`ing the default
config.
@pabzm
Tiny corrections to make the linter happy
03b50df
@pabzm
Fix default CSP for remote content
ea6b7da 
Fixes a typo
@pabzm
Use lax CSP whereever the HTML editor might be used
cb15b0a 
A "lax" CSP (aka using the config option
`content_security_policy_add_allow_remote`) is required to allow using remote
ressources like image URLs in the HTML editor.

We can't depend this on the intial content being HTML or not because the
user might want to change the editor after loading the page, and then
add remote ressources.
@pabzm
Use lax CSP for help plugin to allow remote frame source
7c5f6a5
@pabzm
Copy link
Member Author

pabzm commented Feb 3, 2025

I removed the wrong colons and I think I fixed the usage of the cases you mentioned, thank you for those hints!

I found another problem: If a mailvelope user wants to automatically lookup missing openpgp keys (to encrypt a message to), the HTTP request is sent from JavaScript directly to the configured keyserver. This would be blocked by a strict CSP.

I see two options:

  • Include the configured keyserver as allowed source in the strict CSP, or
  • Proxy the search requests through the server and keep the strict CSP as it is.

The latter would keep the security advantage of a stricter CSP, and also improve the user's privacy slightly because it won't allow for profiling based on the client IP address.
This would also be beneficial for a future feature, to lookup keys in a WKD, for which hiding client IP addresses would be nice, too.

@alecpl Do you have an opinion on this?

@alecpl
Copy link
Member

alecpl commented Feb 3, 2025

That reminds me of a key search in the enigma plugin, which may have the same issue, I suppose.

I'm not sure we can fix the HTML composer this way, though. When you compose a reply/forward you deal with the original mail content that should get secured, don't you think? Marking the content safe does not look right.

As I said in the beginning this becomes complicated and problematic.

@pabzm
Copy link
Member Author

pabzm commented Feb 3, 2025

Enigma calls the same JavaScript-function as the Mailvelope-integration.

Good point about the replies!

I've changed the code to not use the safe mode for triggering the lax CSP but a dedicated variable. (Actually I had this change set in place once before but discarded it to save a variable and jump onto safemode… should've trusted my initial idea!)

(I'll happily clean up the code before it would be merged, just don't want to stir around in the commits as long as they're continuously reviewed.)

@pabzm pabzm marked this pull request as draft February 20, 2025 11:18
@pabzm pabzm moved this from 🏗️ In progress to 📄 To do in 💌 📅 👥 Groupware team Jun 18, 2025
@pabzm pabzm mentioned this pull request Jul 4, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alecpl alecpl Awaiting requested review from alecpl

1 more reviewer

@mvorisek mvorisek mvorisek left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@pabzm pabzm

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document a working Content-Security-Policy