Content-Security-Policy Header

[zwozwo]

webyep doesn't seem to work when a content-security-poicy header is set to default src 'self'.
Do you have any idea what do do?
Thanks in advance, Silke

[maxfancourt]

A Content Protection Policy (CSP) is a security standard that defends websites against cross-site scripting (XSS), clickjacking, and other code injection attacks. It is a defence against malicious content executing in a trusted web context or other attempts to break the same-origin policy.

So... HTTP header, which is the 'Content-Security-Policy' can be added to each response by the web server. The following CSP header properties can be set:

default-src — an optional method if no other attributes are defined. In most cases, the value of this property self—meaning the browser can only upload resources from the current website.
script-src — locations from which external scripts can be loaded. If your website or application does not use client-side scripting, set the value to none.
img-src — locations from which images can be retrieved.
media-src — locations from which rich media like video can be retrieved.
object-src — locations from which plugins can be retrieved.
manifest-src — locations from which application manifests can be retrieved.
frame-ancestors — locations from which another web page can be loaded using a frame, iframe, object, embed, or applet element.
form-action — URLs that can be used as part of an action in a form tag, meaning the browser restricts where form results can be sent. The form action does not revert to default-src, so this is a mandatory property if you are using form elements on your site.
plugin-types — the set of plugins that can be invoked via objects, embeds, or applets, defined using MIME types.
base-uri — allows URLs in the src attribute of any tag.

The best way to add CSP retroactively to an entire webyep website is to define a completely empty whitelist, essentially blocking everything. Initially, CSP runs in report-only mode, which means that browsers evaluate rules but do not block the content yet. You can then examine errors and determine which should be included on the list (allowed) or excluded (disallowed). It's hard to determine how much to block. For instance, if you use a script hosted by a CDN and allow its addresses, you accept all traffic from those CDNs, which might include malicious traffic. To detect all possible cases, you should run CSP in report mode for a few weeks. Once you are confident that your rules capture all relevant usage scenarios, disable report-only and block resources that are not on the whitelist.

please note webyep does use CDN's where it can it can and I suspect that's where the issues maybe

[zwozwo]

Thank you so much for thsi extended answer :-) Well i could not let run CSP in report ,ode as a test because wepyep doesnt work when I do so. When running the CSP, I get the "please activate javascript in your brwoser"-window.
I have this in my htacess file:
Header set Content-Security-Policy "script-src 'self'; img-src 'self'; frame-src 'self'; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; connect-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none'"
My quess was that i have do have to add something to the script source perhaps, like "webyep-system/program" for example. Perhaps you or anybody else has an idea?

[maxfancourt]

mmmm I don't think that's going to work because webyep uses javascript libraries in loads of places and also in things like the richtext editor and some of these are on CDN's
Just a thought though I don't think it will work but have you tried turning off javascript in Javascript Library Framework Type options in Config file within Webyep... so turn all those options to

$webyep_JsLibariesType = "jquery";
$webyep_sModalWindowType = "jquery";
$webyep_sModalWindowType = "jquery";

all to none does then Webyep kick in?

[zwozwo]

Sorry for my late answer, I have no access to the server from Home (over the weekend) "jquery" was default. I tried to set these options to "none", but when i do so, some things like navigation and he editable parts are invisible.
Trying "protaculous" is same like beore - I get my "You have to activate javascript in your browser"-window.
Seems there is no opportunity to solve this, but thank youso much for your help!

[willwood]

I'm interested to take a look at the WebYep 3 codebase and see how much legacy Javascript can be removed. Would be good to swap some of this old jQuery code with modern Javascript. Particularly things like the modal popups, as a start.

[maxfancourt]

just bear in mind everyone, although totally agree webeyep could really do with Vanilla JavaScript and additional libraries rationalisation... jquery is used in the menu to sort menu/sections within the interface as well as loads of vanilla javascript dotted around plus the richtext editors as well... the modal windows also can be used with the three main libraries: jquery, mootools, Scriptaculous plus the slide shows can also use these alternative libraries depending on what people choose as their preferred library base within the config file.. so what ever is written in pure javascript would have to work across the board. As far as I know, CSP affects external libraries, not libraries within the same location.. so it may be prudent to see what webyep fails on and see if those items are failing by a non-local library reference... it's just a thought :)

[zwozwo]

I just made a test with "script-src 'self' 'unsafe-inline', it works. Not a solution, but what I can see is that it must have something to do with some inline script? But I can't see any.
I should also add mention that my sites are built with freeway7 and that navigation doesnt work, too (which of course has nothing to do with webyep, it is just an info that might help)