Content Security Policy and inline scripts

Started by Kuubs, November 27, 2020, 14:28:53 PM

Previous topic - Next topic

Kuubs

Hello,

I'm trying to add CSP to my Virtuemart installation, but there are a couple of inline scripts that need some sort of hash to add it to the header. I tried using a plugin:

https://github.com/zero-24/plg_system_httpheader

But the inline scripts don't get a hash with them, so the content policy still blocks them. Does someone succesfully implemented CSP in their Virtuemart installation?

sirius

Sorry at this time of wtiting, github is down.

Anyway, I suppose this plugin just help to put some csp code in the header.
But this is not the only thing to do, you must provide the hash of the file and put it next to the file that should be included in your code.

Just look here for reference : https://content-security-policy.com/hash/
Here for hash of your files : https://zinoui.com/tools/csp-hash
You can also try some "assistant" to help to implement, just this one for example: https://addons.mozilla.org/fr/firefox/addon/csp-generator/

J3.10.12 | PHP 7.4.33 + APC + memcached + Opcode
VM Prod : 3.8.6 | VM Test : 4.0.12.10777

Kuubs

Quote from: sirius on November 27, 2020, 15:25:23 PM
Sorry at this time of wtiting, github is down.

Anyway, I suppose this plugin just help to put some csp code in the header.
But this is not the only thing to do, you must provide the hash of the file and put it next to the file that should be included in your code.

Just look here for reference : https://content-security-policy.com/hash/
Here for hash of your files : https://zinoui.com/tools/csp-hash
You can also try some "assistant" to help to implement, just this one for example: https://addons.mozilla.org/fr/firefox/addon/csp-generator/

I understand, but I presume this would go automatically.

But after doing some more extensive research I think removing all the inline scripts is the best thing to do here. Is that even a possibility? Certain inline scripts can easily be moved to a javascript file. Is this something the Virtuemart team is considering?

I now have a working CSP header myself, only the inline scripts are now a problem. I can use the unsafe-inline but that defeats the purpose of the CSP. I want to clean it all up.

sirius

You know CSP is another security layer.
CSP is a good point to protect distant script, because if DNS poisoning occur or MITM at the source of your file (any distant libraries for example) it could replace the script loaded on your site.
It's always better to reach maximum security but if your inline script get hacked it would mean that your entire site or whole server is compromised.

And put inline scripts into a file, well I don't know, it's at the dev's discretion. But for some, if they are inline that's in most case for a good reason.

regards
J3.10.12 | PHP 7.4.33 + APC + memcached + Opcode
VM Prod : 3.8.6 | VM Test : 4.0.12.10777