Comments (16)
Fixed with 660bd39
from rockylinux.org-hugo.
Hi, thanks for implementing this change. However, what you implemented adds no security benefit at all.
"unsafe-inline" is effectively zero protection. You need to whitelist the resources the site uses and move any inline javascript to external files. I'll be happy to add a PR later, but not right now.
from rockylinux.org-hugo.
@remyabel As mentioned previously, we're using Hugo to generate values in the JavaScript, and Hugo templating cannot be used in JavaScript, unfortunately, meaning we'd need to hardcode the values, which won't be sustainable for various reasons.
While I appreciate the concern, the site doesn't really load any external resources (other than links), so this effectively shouldn't be a problem. I think this StackOverflow user explains it quite well: https://stackoverflow.com/a/44698400
We're happy to get your contributions towards improving the policy otherwise, though! Just keep in mind that the way we're generating the values into the JavaScript wouldn't be sustainable any other way. :))
from rockylinux.org-hugo.
@remyabel As mentioned previously, we're using Hugo to generate values in the JavaScript, and Hugo templating cannot be used in JavaScript, unfortunately, meaning we'd need to hardcode the values, which won't be sustainable for various reasons.
What you did was hard-code it in the index.html file, but this article shows how you can generate it from Hugo. And a whitelist is going to involve hard-coding. It is a whitelist after all. I'm sure you can programmatically add to the whitelist but that's beyond the scope of this discussion.
While I appreciate the concern, the site doesn't really load any external resources (other than links), so this effectively shouldn't be a problem. I think this StackOverflow user explains it quite well: https://stackoverflow.com/a/44698400
XSS is only one attack vector and not the only one. As I said earlier, static websites can still suffer from data injection attacks. This is exactly why I run NoScript in my browser, but in order for your site to actually be usable, users are going to enable JavaScript and that's why a content security policy is important. You're also forgetting about the dangers of an attack vector via CDN (however unlikely this is, this is why hashes and cross-origin policies are used which you are missing for alpinejs). Either way, it takes very little effort to implement for huge benefit.
from rockylinux.org-hugo.
On a side note, these are the recommendations from the Fedora Infrastructure Application Security Policy. There's no harm in implementing these either.
from rockylinux.org-hugo.
What you did was hard-code it in the index.html file, but this article shows how you can generate it from Hugo. And a whitelist is going to involve hard-coding. It is a whitelist after all. I'm sure you can programmatically add to the whitelist but that's beyond the scope of this discussion.
Are you referring to the header? I'm not talking about hard-coding the CSP values, I'm talking about hardcoding the JavaScript data generated by Hugo.
Feel free to open a PR later and link this issue. I'm not against a CSP, I just think you misunderstood what I was talking about in terms of the inline JavaScript.
from rockylinux.org-hugo.
A hash for the inline JavaScript would be sufficient in this case, I would think, though.
from rockylinux.org-hugo.
I realize I didn't come across quite clearly. Basically we have Hugo generating some of the data in the inline JavaScript. Due to this, every time someone adds a new language to our site, the data changes. This will prevent us from creating a hash for the inline JavaScript without updating it for every PR. Does that make sense?
We're using StaticDeploy to deploy the site, so maybe @hbjydev can see if there's a better way to handle it on that side of things.
from rockylinux.org-hugo.
Really the only valid option would be to use a nonce at this point.
from rockylinux.org-hugo.
Well, I started improving the header inline, but I think I've hit a roadblock. Alpine.JS requires eval to function, and would force us to use "unsafe-eval".
from rockylinux.org-hugo.
For reference: theNewDynamic/thenewdynamic.com#110
from rockylinux.org-hugo.
From reading the issue linked in the aforementioned issue, it appears that they will implement measures in v3 to prevent issues with CSP, but for now we'll be forced to use 'unsafe-eval'.
from rockylinux.org-hugo.
I went ahead and implemented 3c8f349. Let me know if you have any suggested improvements. I think as long as we're using the nonce it should be fine. At least, much safer from attacks than otherwise not having it implemented.
from rockylinux.org-hugo.
For the inline JavaScript a few approaches come to mind:
- Enforce changing the hash whenever adding a new language. Sure this is annoying, but no different than enforcing i.e linting changes. Since the hash will no longer match it will be immediately obvious when it breaks
- Automate/script it somehow
- Use Hugo Pipes to process the JavaScript. I'm not familiar with Hugo but this looks the most relevant
As for nonce vs hash, a nonce has to be regenerated on every HTTP request, it can't just be hard-coded like here. So we need to use a hash anyway unless you decide to add server-side CSP support.
from rockylinux.org-hugo.
I'm sorry, but I fail to see why we would need CSP support in this project. @remyabel Can you enlighten me here? It's a completely static site with no backend, so there's no risk in terms of data unless the end user has installed a virus that hacks its host through JavaScript files in a specific browser, which for everyone is extremely unlikely.
And plus, anything that we have to 'enforce' or do manually is strictly off the table. We're going to be using Weblate for our translations, so anything that requires us to manually add something prevents us from managing it in a sustainable way, which we desperately need to do given the scope of this and number of contributors.
If you can explain to me why we need CSP on a 100% static website, then I'll re-open this. But until then, I'm marking this as wontfix, because I fail to see why it's necessary.
from rockylinux.org-hugo.
It doesn't matter if it's a static website or not. It was already pointed out that alpinejs requires unsafe-eval
which is an XSS vector. I also don't really consider the likelihood of a vulnerability to be that big of a factor. I lock my front door to keep people out no matter how unlikely it is that someone will break in.
Anyway, I understand that based on the reasoning you gave implementing this change will be painful so I'll concede.
from rockylinux.org-hugo.
Related Issues (20)
- Internationalisation doesn't work on the static content system HOT 6
- Added Catalan language support
- Typo for the Italian language
- Ukrainian and Swedish translations deleted HOT 2
- Comment system implementation HOT 3
- promote link to forums in the top navbar
- Add a sponsors page HOT 2
- i18/de typo HOT 1
- Update Slack logo on the website footer HOT 1
- Publish Donations page HOT 1
- Add button on donation page for logins HOT 1
- Update copyright date on website footer to 2021 HOT 1
- license issue HOT 1
- Incompatible small screen display in the donation page HOT 1
- Language Picker Dropdown Doesn't Work HOT 1
- Add 'Press' page to website HOT 4
- RSS feed disoverability
- Sponsor bar colour incorrect HOT 7
- Update donations link on homepage HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rockylinux.org-hugo.