Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Main UI: Improve Content-Security-Policy #2714

Merged
merged 3 commits into from
Aug 15, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 16 additions & 6 deletions bundles/org.openhab.ui/web/src/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,25 @@
<head>
<meta charset="utf-8">
<!--
Customize this policy to fit your own app's needs. For more guidance, see:
https://github.com/apache/cordova-plugin-whitelist/blob/master/README.md#content-security-policy
Some notes:
Cordova recommended default CSP. For more guidance, see:
https://cordova.apache.org/docs/en/dev/guide/appdev/allowlist/#content-security-policy-csp
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
Explanation:
* gap: is required only on iOS (when using UIWebView) and is needed for JS->native communication
Note that UIWebView is deprecated, see https://developer.apple.com/documentation/uikit/uiwebview
* https://ssl.gstatic.com is required only on Android and is needed for TalkBack to function properly
* Disables use of inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Disables use of eval() and inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
* Enable eval(): add 'unsafe-eval' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content: blob:; style-src 'self' 'unsafe-inline';">
<!-- Explanation:
* allow loading resources from the same origin, inline scripts and styles
* allow loading fonts from the same origin, and data: URIs
* allow loading images from any source, and data: URIs
* allow loading media from any source, and data:, blob: and media: URIs
* allow connecting (through fetch(), XMLHttpRequest, WebSocket etc.) to the same origin, raw.githubusercontent.com (add-on logos etc.), and any source
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src * data:; media-src * data: blob: media:; connect-src 'self' raw.githubusercontent.com *;">
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By removing this wildcard here we could limit what the HTTP action is able to do:

Suggested change
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src * data:; media-src * data: blob: media:; connect-src 'self' raw.githubusercontent.com *;">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src * data:; media-src * data: blob: media:; connect-src 'self' raw.githubusercontent.com;">

However we have to keep in mind that this limits the SIP widget and probably the video widget as well.
It is possible to overwrite our CSP here by using a reverse proxy, however is this quite user-unfriendly.

@ghys WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that this limits the SIP widget and probably the video widget as well

That's kind of bad then, isn't it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah but as long as you have a reverse proxy in place this is easy to fix.

Either server everything from „self“, e.g. I have openhab.localnet for openHAB and my SIP WebSocket is at openhab.localnet/sip,
or overwrite the CSP by setting the header in the reverse proxy conf and add additional targets as needed.

<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no, minimal-ui, viewport-fit=cover">

<meta name="theme-color" content="#e64a19">
Expand Down