Forum OpenACS Development: Re: Where do I setup CSP Policies (new security improvement)?

Collapse
3: Re: Where do I setup CSP Policies (new security improvement)? (response to 2)
Posted by Cesareo Garci­a Rodicio on 10/13/16 04:22 PM
I used openacs-core from git and openacs-bootstrap3 from git too. It seems to be updated. Also I could (after disable CSPEnabledP) upgrade all packages from repository.

I had to change bootstrap shared parametres to serve css and js from local filesystem to avoid any block uri. Now I had some minor blocked uris [1] but some are mayor problems [2]

By the way, this is really an amazing work and a big security improvement 😉

[1] http://www.gravatar.com/avatar/md5?size=35&d=mm , http://ipv6-test.com/button-ipv6-80x15.png
[2] In this setup for example I could not install packages from openacs official repositories

Collapse
4: Re: Where do I setup CSP Policies (new security improvement)? (response to 3)
Posted by Gustaf Neumann on 10/14/16 02:01 PM
The git repositories are updated every night (MET). Bootstrap has changed its preferred CDN from netdna.bootstrapcdn.com to maxcdn.bootstrapcdn.com (see [1]). If one has an installation older than this change, this is probably the problem. I'll try to make an update script for this.

Concerning gravatar: if you have the version from github, this should be fine (see [2]). However, if you one is doing an "install from repository", one gets the "last released" version of the branch (with an appropriate tag). So far, i think nobody has released any version depending on CSPs to the release channels. The mixed version might explain the problems.

all the best
-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-9%3Agustafn%3A20160912114338
[2] http://cvs.openacs.org/browse/OpenACS/openacs-4/packages/openacs-bootstrap3-theme/resources/widgets/login.tcl?r=1.1.2.2#to22

Collapse
5: Re: Where do I setup CSP Policies (new security improvement)? (response to 4)
Posted by Cesareo Garci­a Rodicio on 10/14/16 03:15 PM
Hi,

As you said before, problem is that I had an old version of bootstrap-theme (Versión 1.1 - HEAD). I had thought that git repository is updated with last changes (now version 1.1.2.3)

I realize that now, trying to do "git pull" I don't see these updates.

Perhaps it's a better setup strategy to use only openacs-core from git and install/upgrade from openacs repositories. I didn't do because of CSP violation, now changing kernelParameter I know how to overcome it. I'd try again 😉

[1] http://cvs.openacs.org/browse/OpenACS/openacs-4/packages/openacs-bootstrap3-theme/resources/masters/plain-master.tcl#r1.1.2.2

Collapse
6: Re: Where do I setup CSP Policies (new security improvement)? (response to 5)
Posted by Gustaf Neumann on 10/14/16 08:13 PM
I realize that now, trying to do "git pull" I don't see these updates.

notice that you should switch on github (or after the "git clone") to the "oacs-5-9 branch" to see the actual updates on these packages (see [1]). For some of the oacs-packages, "oacs-5-9" is preselected, for some just"master". There seems to be no easy way for bulk-changes in the package setups.

-gn

[1] https://github.com/openacs/openacs-bootstrap3-theme/tree/oacs-5-9