Forum OpenACS Development: Where do I setup CSP Policies (new security improvement)?

Collapse
1: Where do I setup CSP Policies (new security improvement)?
Posted by Cesareo Garci­a Rodicio on 10/12/16 06:49 PM
Hi,

Testing a localhost setup[1], I've seen a lot of Notice Logs [2] as CSP Violations (in my setup tipically were blocked external uris). Where do I set up CSP Policies for Openacs?

Thanks,
Cesáreo

[1] OpenACS version 5.9.1d18 / NaviServer 4.99.13d1 / Posgresql 9.6.0

[2] [12/Oct/2016:12:33:21][5436.700000629000][-conn:g:0-] Notice: CSP violation: {"csp-report":{"document-uri":"http://localhost/forums/message-post","referrer":"http://localhost/forums/message-post","violated-directive":"img-src 'self'","effective-directive":"img-src","original-policy":"default-src 'self';font-src 'self' data:;img-src 'self';report-uri /SYSTEM/csp-collector.tcl;script-src 'self' 'nonce-2032305293FA3B16E3804B586AC31E9DD3A6B6FF';style-src 'self' 'unsafe-inline';","blocked-uri":"http://ipv6-test.com/button-ipv6-80x15.png","status-code":200}} user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 user_id 699 peer 127.0.0.1

[3] It's a "Security Improvement" in a Oacs 5.9.1 todo : http://www.openacs.org/xowiki/openacs-todo

Collapse
2: Re: Where do I setup CSP Policies (new security improvement)? (response to 1)
Posted by Gustaf Neumann on 10/12/16 09:45 PM
CSP are a work in progress, and should be part of the forthcoming OpenACS 5.8.1 release. Due to recent cahnges OpenACS has a CSP generator, which can produce for every page a potentially different CSP based on the requirements of the page. If one is using e.g. richtext editors, one to allow the directive 'unsafe-eval' for script-src, which one should not use in general. However, the usage of a richtext editor on some pages should not force the usage of this permissive CSP for the whole site, therefore one needs tailored CSPs. By using these automatically generated content security policy OpenACS.org recieves from securityheaders.io an A+ rating [1].

In general, the usage of content security policy generator can be controlled via the kernel parameter CSPEnabledP, where it can be turned on or off.

In your particular case, it looks to me as if you have updated acs-core, but not the openacs-bootstrap3-theme package. Can this be the case?

all the best
-gn

[1] https://securityheaders.io/?q=openacs.org&hide=on&followRedirects=on

Collapse
3: Re: Where do I setup CSP Policies (new security improvement)? (response to 2)
Posted by Cesareo Garci­a Rodicio on 10/13/16 04:22 PM
I used openacs-core from git and openacs-bootstrap3 from git too. It seems to be updated. Also I could (after disable CSPEnabledP) upgrade all packages from repository.

I had to change bootstrap shared parametres to serve css and js from local filesystem to avoid any block uri. Now I had some minor blocked uris [1] but some are mayor problems [2]

By the way, this is really an amazing work and a big security improvement 😉

[1] http://www.gravatar.com/avatar/md5?size=35&d=mm , http://ipv6-test.com/button-ipv6-80x15.png
[2] In this setup for example I could not install packages from openacs official repositories

Collapse
4: Re: Where do I setup CSP Policies (new security improvement)? (response to 3)
Posted by Gustaf Neumann on 10/14/16 02:01 PM
The git repositories are updated every night (MET). Bootstrap has changed its preferred CDN from netdna.bootstrapcdn.com to maxcdn.bootstrapcdn.com (see [1]). If one has an installation older than this change, this is probably the problem. I'll try to make an update script for this.

Concerning gravatar: if you have the version from github, this should be fine (see [2]). However, if you one is doing an "install from repository", one gets the "last released" version of the branch (with an appropriate tag). So far, i think nobody has released any version depending on CSPs to the release channels. The mixed version might explain the problems.

all the best
-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-9%3Agustafn%3A20160912114338
[2] http://cvs.openacs.org/browse/OpenACS/openacs-4/packages/openacs-bootstrap3-theme/resources/widgets/login.tcl?r=1.1.2.2#to22

Collapse
5: Re: Where do I setup CSP Policies (new security improvement)? (response to 4)
Posted by Cesareo Garci­a Rodicio on 10/14/16 03:15 PM
Hi,

As you said before, problem is that I had an old version of bootstrap-theme (Versión 1.1 - HEAD). I had thought that git repository is updated with last changes (now version 1.1.2.3)

I realize that now, trying to do "git pull" I don't see these updates.

Perhaps it's a better setup strategy to use only openacs-core from git and install/upgrade from openacs repositories. I didn't do because of CSP violation, now changing kernelParameter I know how to overcome it. I'd try again 😉

[1] http://cvs.openacs.org/browse/OpenACS/openacs-4/packages/openacs-bootstrap3-theme/resources/masters/plain-master.tcl#r1.1.2.2

Collapse
6: Re: Where do I setup CSP Policies (new security improvement)? (response to 5)
Posted by Gustaf Neumann on 10/14/16 08:13 PM
I realize that now, trying to do "git pull" I don't see these updates.

notice that you should switch on github (or after the "git clone") to the "oacs-5-9 branch" to see the actual updates on these packages (see [1]). For some of the oacs-packages, "oacs-5-9" is preselected, for some just"master". There seems to be no easy way for bulk-changes in the package setups.

-gn

[1] https://github.com/openacs/openacs-bootstrap3-theme/tree/oacs-5-9