Send a configurable CSP in every HTML response #9665
Conversation
|
@alecpl Same question for this: would reviews by other developers help you? |
|
I'm not sure it would help me, but it would likely help the pull request move forward. |
|
Are there other things we can do to ease your load? E.g. get more ticket work off your back? Or release/version/patch-management? I notice you're backporting many changes that go into the |
| $csp = $this->app->config->get('content_security_policy'); | ||
| if (!in_array($csp, ['', false, 'false'])) { | ||
| $csp_header = "Content-Security-Policy: {$csp}"; | ||
| if (isset($this->env['safemode']) && $this->env['safemode'] === true) { |
There was a problem hiding this comment.
This needs E2E test as it is it can very easily break security if coded wrongly.
There was a problem hiding this comment.
Testing is a good point 👍
Do you have something specific in mind regarding breaking security?
There was a problem hiding this comment.
I mean we need to be sure external resources are not fetched (otherwise spammers know what email addresses to spam even more) in every other case than explicitly configured so.
There was a problem hiding this comment.
I agree, but I think this change doesn't enlarge that danger. It only adds a Content-Security-Policy, which should reduce that danger. The safe-flag is not touched.
Do you see any way in which this change could be dangerous?
|
I'm not convinced that providing such configuration options is a good idea. |
|
I know nothing about CSP headers. From a Roundcube code style point of view only I would say that
is wrong and it should be
this means, i think, in common with other config values I would also say the comment in |
@alecpl Why? I thought some people might need to change the CSP (e.g. for plugins using external resources), and this way they wouldn't need to patch the code. |
@johndoh But your comments are helpful, thank you very much!
For some values that's right, but
Thank you for that catch! I'l solve that in code so admins can't break the CSP so easily by mistake. |
pabzm
force-pushed
the
always-send-csp
branch
from
e1f10e9
to
54928f4
Compare
The CSP gets adapted to remote objects being allowed or not. It can be configured or disabled via the config option `content_security_policy` (and `content_security_policy_add_allow_remote`).
pabzm
force-pushed
the
always-send-csp
branch
2 times, most recently
from
ba0ab41
to
a9e0110
Compare
I agree with this. I think in the past there has been issues with Personally I just don't like the |
pabzm
force-pushed
the
always-send-csp
branch
from
a9e0110
to
304ae70
Compare
If people write a lax default CSP they might set the additional config option to the blank string, or false. Then the CSP header should not contain that value.
pabzm
force-pushed
the
always-send-csp
branch
from
304ae70
to
feb8e9f
Compare
This way the code always has values it can work with, no matter how good or broken the configuration is.
Oh, I wasn't aware of that. Thank you for that explanation! Then we maybe should have a hardcoded value for all defaults. I changed the approach to specifying the default value in (I'd be happy to extend this approach to more config options, it would reduce some special case handling in
I also find it ugly, but I really like solid code, which isn't vulnerable to edge cases. But maybe checking against |
Previously the code also treated `'false'` (the string) as invalid, but that's a very specific check against a specific edge case, which wouldn't even break the code (but will only make the browser complain), so I'm dropping that check.
The config value might be something else than a string.
In the previous way useless semicolons could have happened.
We still support PHP v7, which doesn't support union types.
phpstan complains that `assertIsArray($config)` will always fail because it doesn't know about the side effects of `require`ing the default config.
pabzm
force-pushed
the
always-send-csp
branch
from
cfcabf0
to
fda480b
Compare
@alecpl Why? Some people might need to change the CSP (e.g. for plugins using external resources). |
|
Because it's easy to do wrong. Because CSP can be set on the http server and Roundcube cannot relax the rules, it can only make them more strict. Because the initial problem was lack of documentation, not lack of options. In other words this might be one of those power-user options that may bring more harm than value. That being said, I don't really see a middle ground here. Either we set CSP (and need options and ways for plugins) or not. |
|
From your tone and from the experience of other comment threads I assume that you're not interested in an open discussion of the points you listed. (Please prove me wrong.) Which makes me wonder what you want from this PR. If you want to veto the change, please say so clearly. If not: please suggest a way forward. |
|
I don't want it to sound like a veto, but I think we should not merge this. As other security-related headers that you can set, add the header sample to the It does not mean we shouldn't make Roundcube compatible with more strict rules in the future, but Roundcube should not set the header itself, imo. Of course, there's always exceptions, we use CSP header on file downloads. |
|
This change increases security by introducing a CSP that is stricter if the And it increases security of all installations by ensuring from code that the CSP is always sent, not only where an admin took the extra step to configure it. And it doesn't break anything in a default installation. Of course people can make themselves a problem with the config option, but that is true for a lot of the config options we already have. How is this one different? |
The CSP gets adapted to remote objects being allowed or not. It can be configured or disabled via the config option
content_security_policy(andcontent_security_policy_add_allow_remote).The default is pretty weak in order to not introduce a breaking change, but still not useless (e.g. it adds another layer of defence against loading remote objects unless allowed.)
Closes #9638