-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy (CSP) Header not set #1816
Comments
stuck! When I add the deprecated
Then the Firefox browser creates 3 POST transactions (that fail on 403/404/500 with various tweaks). Chrome, Edge, and Opera do not create a POST tranaction. When I add the
Then Firefox, Chrome, Edge, and Opera do not create a POST xaction. Going into Firefox I think the goal is to create a "Content-Security-Policy" and add support for an incoming POST with a contenttype of either "application/csp-report" or "application/reports+json". A well-written Content-Security-Policy will create no POST transactions. Wiki admins may view the CSP reports and delete files should there be many long reports. Wiki admins can turn off CSP reporting in wikiconfig.py. Since most of the work is performed in the client-side browser there will be no performance hit. |
I did a short test with Chromium version 131 on Ubuntu, adapted your template for report-uri above and added a route ' As a result, there are 2 findings for the 'Home' item (the 'Welcome' page). The first log entry is:
Line 392 in the html source is |
This is the changed code, partially copied from https://github.com/finalduty/csp-report-collector/blob/main/src/csp_report_collector.py:
The report-uri above will fail for any namespace other than 'default'. |
@UlrichB22 Thanks, that is much better. Assuming you agree moin should have CSP headers, would you finish this issue? Seems I have many busy days with no time for moin lately. |
I can try, but will also need some time. It will be a simple solution with standard logging and a limit of messages per hour or day to avoid spamming in the logs. Maybe you can help with testing afterwards as I can only test browsers on Linux 😉 |
Thanks, will be ready to help. So far Chrome, Opera, and Edge are consistent in the sequence of the cspreport fields, Firefox outputs a different sequence. |
One of the warning messages produced by a ZAP run against 127.0.0.1 is that the "Content Security Policy (CSP) Header not set"
See #318
One way to set the CSP headers is to insert something like the following into src/moin/apps/frontend/views.py:
where the above needs work, pretty names, move headers to wikiconfig.py, do same/similar for admin views etc.
The first problem encountered from above is the browser tries to PUT a jason formatted report to csp-report-url resulting in a 404.
Adding a text item named csp-report-url eliminates the 404 and returns a 200, but the write fails silently in moin code with nothing updated. The silent failure is possible due to the contenttype of the browser post is
application/csp-report
.See
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html,
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only,
google other sources
The text was updated successfully, but these errors were encountered: