Content Security Policy #3620

rudolphfroger · 2017-04-12T08:23:41Z

Subject: adjust themes to allow a sufficient strict Content-Security-Policy

Problem

Settings a sufficiently strict Content-Security-Policy raises many blocked actions

Also see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Procedure to reproduce the problem

Serving the generated HTML using a Content Security Policy header like below gives many exceptions:

Content-Security-Policy: "media-src 'self'; img-src 'self' data:; connect-src 'self'; child-src 'self'; style-src 'self'; default-src 'none'; font-src 'self'; script-src 'self'"

Expected results

I expected to be able to set a Content-Security-Policy header to protect the site against XSS and injection attacks.

Environment info

OS: any
Python version: n.a.
Sphinx version:any

The text was updated successfully, but these errors were encountered:

shimizukawa · 2017-04-12T08:32:42Z

@rudolphfroger I think you mentioned about HTTP header, however sphinx IS NOT a server application. Sphinx just generate html files. So I think there is nothing todo from sphinx side.

rudolphfroger · 2017-04-12T08:43:38Z

I understand that Sphinx won't be able to set an HTTP header. At the moment the inline Javascript in the Sphinx themes prevent anyone from setting a reasonable Content Security Policy header without breaking Sphinx functionality. Moving all inline Javascript and CSS into the separate JS and CSS files would enable people to serve Sphinx in a better secured setup.

shimizukawa · 2017-04-12T13:51:27Z

Thanks for your explanation. Indeed, current templates are not good.

ghost · 2017-11-27T12:42:43Z

I think you mentioned about HTTP header, however sphinx IS NOT a server application. Sphinx just generate html files. So I think there is nothing todo from sphinx side.

CSP can either be served via a header (i.e, via Apache) or put into a meta tag (i.e, in a Sphinx theme). The point of CSP is that it can be configured to disallow inline scripts/styles to prevent XSS/CSRF attacks so it is a Sphinx problem.

Currently the RTD theme sets DOCUMENTATION_OPTIONS expected by the basic theme (doctools, searchtools, etc.) by doing this:

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
             URL_ROOT:'{{ url_root }}',
             VERSION:'{{ release|e }}',
             COLLAPSE_INDEX:false,
             FILE_SUFFIX:'{{ '' if no_search_suffix else file_suffix }}',
             HAS_SOURCE:  {{ has_source|lower }},
             SOURCELINK_SUFFIX: '{{ sourcelink_suffix }}'
         };
     </script>

IMO there should be a better way to set these properties than JavaScript, i.e through some type of middleware.

tk0miya · 2018-01-14T14:33:49Z

Fixed by #4295.
Thank you for reporting!

jumarko · 2019-02-19T15:15:26Z

Because of this issue I've updated my sphinx to 1.8.4 and it seems that the problem with DOCUMENTATION_OPTIONS is gone.
However, I got other errors when using the search box because of inlined scripts used in search.html

[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-w90MR9FaEMvvIqq+E32iGfCOojWBnzSzADCmOrNSung64Inv9lUYU9aaA6pLc131GP294iM50jiiqfmP' https://js.stripe.com". Either the 'unsafe-inline' keyword, a hash ('sha256-Ia59rEZC7ZJO4TTGcWqtwZBVaOfxSvdArdpB0AaSzbk='), or a nonce ('nonce-...') is required to enable inline execution.

[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-w90MR9FaEMvvIqq+E32iGfCOojWBnzSzADCmOrNSung64Inv9lUYU9aaA6pLc131GP294iM50jiiqfmP' https://js.stripe.com". Either the 'unsafe-inline' keyword, a hash ('sha256-p98tulYY6PuvLZreTlWz42v29aGELSPpkZGnACGsP28='), or a nonce ('nonce-...') is required to enable inline execution.

[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-w90MR9FaEMvvIqq+E32iGfCOojWBnzSzADCmOrNSung64Inv9lUYU9aaA6pLc131GP294iM50jiiqfmP' https://js.stripe.com". Either the 'unsafe-inline' keyword, a hash ('sha256-euFOlnAZ5DTyYbwKER1+neBcumHLVJsd7mDPngZMMbU='), or a nonce ('nonce-...') is required to enable inline execution.

ghost · 2019-02-21T01:47:20Z

As I understand it, the purpose of the original AJAX code is to defer loading searchindex.js because of its size. In 2019, it should be possible to use something like async or defer. Further, caching should not be a problem either, assuming a properly configured server (and many people are using Cloudflare anyway).

ghost · 2019-02-21T02:12:19Z

@jumarko I've opened a PR if you would like to pull it down and test it.

#3620: Defer searchindex.js rather than loading it via ajax

to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com>

to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1) Conflicts: admin/doc-requirements.txt

to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1)

to address sphinx-doc/sphinx#3620, we need to use sphinx with its fix at sphinx-doc/sphinx@e049f86 in other words, we need to use sphinx v2.0.0 and up. but sphinx 2.0 requires python >= 3.5, so we have to use python3 for building the documents. in this change: * doc-requirements.txt: install python3 packages on debian derivatives * build-doc: install python3.6 packages from EPEL7, and use python3 venv for using sphinx2 * doc-requirements.txt: bump up all python packages to latest stable. Signed-off-by: Kefu Chai <kchai@redhat.com> (cherry picked from commit ace8cb1) Conflicts: admin/doc-requirements.txt admin/build-doc

Hopefully a more future-proof fix, removing the dependency on ajax and searchtools.js altogether. (After loading, searchindex.js itself does depend on searchtools.js, but both are updated with the version of sphinx that is used, unlike this template.) Because the script is loaded with `defer` and also right at the end of the body, the size of searchindex.js should not block loading the rest of the page (one of the arguments for using ajax).

shimizukawa added type:enhancement enhance or introduce a new feature builder:html html theme labels Apr 12, 2017

shimizukawa added this to the 2.0 milestone Apr 12, 2017

rudolphfroger mentioned this issue Apr 13, 2017

Content Security Policy readthedocs/readthedocs.org#2793

Closed

This was referenced Dec 13, 2017

Move DOCUMENTATION_OPTIONS to external JS for purposes of CSP readthedocs/sphinx_rtd_theme#500

Closed

#3620: move basic theme's DOCUMENTATION_OPTIONS to js_t #4295

Closed

tk0miya closed this as completed in de023f2 Jan 14, 2018

tk0miya modified the milestones: 2.0, 1.7 Jan 14, 2018

ghost mentioned this issue Jan 14, 2018

Content Security Policy support readthedocs/sphinx_rtd_theme#414

Closed

ghost mentioned this issue Feb 21, 2019

#3620: Defer searchindex.js rather than loading it via ajax #6091

Merged

tk0miya added a commit that referenced this issue Feb 25, 2019

Merge pull request #6091 from remyabel/3620_defer_searchindex

e049f86

#3620: Defer searchindex.js rather than loading it via ajax

tchaikov mentioned this issue Aug 7, 2019

admin/build-doc: use python3 ceph/ceph#29528

Merged

jkromwijk mentioned this issue Nov 10, 2019

Fix searchindex.js loading when ajax fails (because e.g. CORS in embedded iframes) matplotlib/matplotlib#15649

Merged

github-actions bot locked as resolved and limited conversation to collaborators Aug 7, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Content Security Policy #3620

Content Security Policy #3620

rudolphfroger commented Apr 12, 2017

shimizukawa commented Apr 12, 2017

rudolphfroger commented Apr 12, 2017

shimizukawa commented Apr 12, 2017

ghost commented Nov 27, 2017

tk0miya commented Jan 14, 2018 •

edited

Loading

jumarko commented Feb 19, 2019

ghost commented Feb 21, 2019

ghost commented Feb 21, 2019

Content Security Policy #3620

Content Security Policy #3620

Comments

rudolphfroger commented Apr 12, 2017

Problem

Procedure to reproduce the problem

Expected results

Environment info

shimizukawa commented Apr 12, 2017

rudolphfroger commented Apr 12, 2017

shimizukawa commented Apr 12, 2017

ghost commented Nov 27, 2017

tk0miya commented Jan 14, 2018 • edited Loading

jumarko commented Feb 19, 2019

ghost commented Feb 21, 2019

ghost commented Feb 21, 2019

tk0miya commented Jan 14, 2018 •

edited

Loading