Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set Content-Security-Policy rules through RoR's config #8957

Merged
merged 2 commits into from
Oct 11, 2018

Conversation

ClearlyClaire
Copy link
Contributor

@ClearlyClaire ClearlyClaire commented Oct 11, 2018

This is ported from glitch-soc, where this seems to work.
It may have been insufficiently tested with some configurations, though.

@Gargron Gargron merged commit 2d27c11 into mastodon:master Oct 11, 2018
@33b5e5
Copy link

33b5e5 commented Oct 11, 2018

FYI, this change causes an error with embeds from external instances:

Content Security Policy: The page’s settings blocked the loading of a resource at https://toot-lab.reclaim.technology/embed.js (“script-src”).

Loading failed for the <script> with source “https://toot-lab.reclaim.technology/embed.js”.

To reproduce, find a toot with media that's from an instance other than your own, then choose "embed" from the ... overflow menu. You can view the errors in the console.

I used this toot for the example: https://toot-lab.reclaim.technology/@djsundog/100879221677869657 but you'll need to find one from your timeline in order to get the "embed" option.

I'm not sure how much it matters though? I almost feel like blocking third party JS here is a feature. I can live without external formatting.

@33b5e5
Copy link

33b5e5 commented Oct 11, 2018

This is probably much worse: the change also prevents media from loading from object storage.

Content Security Policy: The page’s settings blocked the loading of a resource at https://s3.us-west-1.wasabisys.com/REDACTED/FILENAME.mp4 (“media-src”).

I can think of multiple ways to resolve that, including by proxying the media, but it seems bad to have a default CSP that breaks external S3 storage.

@nightpool
Copy link
Member

media_src includes assets_host by default, so i'm not sure what the problem could be there. Maybe there's a difference in asset_host and paperclip configuration?

@33b5e5
Copy link

33b5e5 commented Oct 11, 2018

Adding :https to the media_src policy seems to resolve the issue without compromising much. https://observatory.mozilla.org gives an A+ score with or without the :https.

p.media_src :self, :https, :data, assets_host

@33b5e5
Copy link

33b5e5 commented Oct 11, 2018

@nightpool I'm not sure, but as far as I can tell, assets_host only references my instance's hostname and not the S3 hostname.

@ClearlyClaire
Copy link
Contributor Author

Oh yeah, sorry, I have forgot a few fixes. Gonna push them.

@rugk
Copy link

rugk commented Nov 10, 2018

So has this been tested with https://csp-evaluator.withgoogle.com/ or other tools?

@ClearlyClaire
Copy link
Contributor Author

@rugk yes. I invite you to try out yourself with one of the many 2.6.1 instances out there.
It could probably be made stricter thanks to CSP2 hash/nonces or CSP3 strict-dynamic, but this would involve more webpack trickery than I know of.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants