Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP improvements #29

Open
nijel opened this issue Sep 16, 2016 · 1 comment
Open

CSP improvements #29

nijel opened this issue Sep 16, 2016 · 1 comment
Labels
enhancement hardening

Comments

@nijel
Copy link
Contributor

nijel commented Sep 16, 2016

  1. CSP Improvements (for WebSite)

https://www.phpmyadmin.net/ return the following CSP header:
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/; img-src 'self' https://www.google-analytics.com/ https://www.paypalobjects.com/; style-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'

2.1) Change Google Analytics loading

The usage of current Google Analytics code require unsafe-inline in script-src

fix: (by applying any of the below, the unsafe-inline can be removed from script-src)
move the inline code into external file
https://stackoverflow.com/questions/30939809/google-analytics-js-and-content-security-policy
or generate a hash for inline script:
https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

2.2) Dynamic CSP usage

The https://www.paypalobjects.com/ in img-src is needed only in some pages, such as:

    https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/donate.html#L31
    https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/sponsors.html#L126

2.3) More Strict CSP Policy

The usage of action attribute is used in the below pages (to https://www.paypal.com/)

website/pmaweb/templates/donate.html

Line 22 in 92720e9

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">

website/pmaweb/templates/sponsors.html

Line 113 in 0da92e1

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">

thus use form-action directive to white-list action locations
https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives#form-action

  1. Missing CSP Policy

visiting:
https://www.phpmyadmin.net/fff/
result:

no CSP Policy sent, also the page load javascript from https://linkhelp.clients.google.com/ (need to add to script-src directive)
https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/404.html#L23
@nijel
Copy link
Contributor Author

nijel commented Sep 16, 2016

  1. CSP Violations Issues in WebSite

On Chrome:

Visiting:
https://www.phpmyadmin.net/downloads/

Result in Console:

Refused to load the image 'https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-2718724-14&cid=231898991.1468598139&jid=2067451453&_v=j44&z=2118007049' because it violates the following Content Security Policy directive: "img-src 'self' https://www.google-analytics.com/ https://www.paypalobjects.com/".

fix:
add https://stats.g.doubleclick.net to img-src directive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement hardening
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nijel