Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Online Security Policy breaks the interface #21238

Closed
ghost opened this issue Sep 22, 2022 · 8 comments
Closed

Online Security Policy breaks the interface #21238

ghost opened this issue Sep 22, 2022 · 8 comments
Labels
type/bug

Comments

@ghost
Copy link

ghost commented Sep 22, 2022

Description

After employing Online Security Policy i.e. CSP gitea interface has some issues.

When applying the following rules:

Content-Security-Policy
default-src 'self' *.x-files.dk *.cloudflare.com fonts.googleapis.com fonts.gstatic.com; frame-ancestors 'self' *.x-files.dk; object-src *.x-files.dk/; script-src *.x-files.dk/; style-src 'self'; font-src 'self' data:;

So for this to work I had to add the following which is below best practice for CSP

default-src 'self' *.x-files.dk *.cloudflare.com fonts.googleapis.com fonts.gstatic.com https://secure.gravatar.com; frame-ancestors 'self' *.x-files.dk; object-src *.x-files.dk/; script-src *.x-files.dk/ 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:;

No one absolutetly no one should ever use: 'unsafe-inline' as well as 'unsafe-eval' in their Content Security Policy.

Gitea Version

gitea-1.17.2-linux-amd64

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

N/A

Screenshots

gitea

Git Version

gitea-1.17.2-linux-amd64

Operating System

Ubuntu 22.04

How are you running Gitea?

Runs as a service on a stand alone server.

Database

MySQL
@ghost ghost added the type/bug label Sep 22, 2022
@wxiaoguang
Copy link
Contributor

Related to this one

@silverwind
Copy link
Member

Inline scripts are currently necessary for the clone script which we should remove.
Inline styles will be a massive refactor and probably be nigh impossible as jQuery show/hide and Fomantic-UI depend on them.

@ghost
Copy link
Author

ghost commented Sep 22, 2022

Inline scripts are currently necessary for the clone script which we should remove.
Inline styles will be a massive refactor and probably be nigh impossible as jQuery show/hide and Fomantic-UI depend on them.

Right I know this is not easy and I could very well live with inline styles beeing needed for now if inline scripts would go. What botheres me the most is the “unsafe eval” any thoughts on this one ?

@silverwind
Copy link
Member

I don't think there is any eval use in the codebase or the dependencies, but IIRC, browser count other things as eval as well, maybe you can get a list of problematic JS call sites.

@ghost
Copy link
Author

ghost commented Sep 22, 2022

Indeed good idea I will, I’m at work right know but once I get home I’ll get them listed. Should I post them here ?

@ghost
Copy link
Author

ghost commented Sep 22, 2022

But frankly I had to move my gitea installation to an isolated host / server where it will live alone, as I can not live with the potentially security issues I'm facing having the gitea server facing the internet with these drawbacks on Online Security Policy. I'm not blaming anyone just so you know. But the issue is there and it should be fixed if not people in the near future will loose confidence in gitea not trying to be "best in class" :-)

@ghost
Copy link
Author

ghost commented Sep 22, 2022

Related to this one

Indeed it is thnx.

@silverwind
Copy link
Member

Let's close in favor of #19851.

@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silverwind @wxiaoguang