how to configure CSP correctly |
Hey, i was trying to use the Content Security Policy feature but i always get the (console) error that your settings has blocked a resource on self
i tied different settings with absolute path and wildcard use ( localhost/[...]/css/* ) and the default self but everything gives the same result. can someone show me how correct settings should looks like ? ( i also use {csp-script-nonce} in inline blocks but also this result in "Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ([...]), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback" ) Thx
Hmm. It's been a while since I wrote that code, or read those specs. I just tried a quick example and found at least one problem. Will try to dig into the whole thing tonight and post a simple example, fix bugs, etc.
Took me a little longer than expected, but I think I've squashed the bugs with CSP. Pull down the latest source and it should be working for you. Here's a quick example to get you started:
First off - turn CSP on in Config/App.php Code: public $CSPEnabled = true; Now refresh your page and you'll see lots of errors in your browser's console. If you have the debug toolbar on - you'll see even more. Please note that the toolbar is not compatible with CSP and should be turned off when you're tuning your CSP rules. Assuming you have a simple little HTML page like this (which you wouldn't but we have to start somewhere): Code: <!doctype html> You would need to add the following in your base controller, or wherever you want, to get things passing the CSP restrictions: Code: $this->response->CSP->setDefaultSrc('self'); setDefaultSrc isn't really required for this, but will make things a little simpler for you in most cases. addStyleSrc is required to allow the external Bootstrap stylesheet. addFontSrc is required to allow Bootstrap to load its fonts. Because the {csp-style-nonce} tag is in the style tag, a nonce will be automatically created for you and inserted into the header. With these rules, you'll end up with a generated header like: Code: Content-Security-Policy:connect-src 'self'; default-src 'self'; font-src https://maxcdn.bootstrapcdn.com; img-src 'self'; script-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com 'nonce-1cb22ae4b1a5c58a66415811'; Hope that helps! Be sure to read the articles linked in the docs for more information. It can get a bit complex.
Great work
so i dont have to worry about the errors ( shown in console ) ? still have problems to use local fonts - i guess its an understanding problem on my side^^ ( they are successfully loaded but not used by the css rules in html )
The errors that show in the console could be from the debug toolbar, or could be from your own code. They are valid errors. However, the only way to know is to turn the toolbar off, and then scan your site looking for errors. Or create a controller to receive and log debug info from the CSP function itself, using the reportOnly and setReportURI settings.
Fonts require the fontSrc setting to be set to where you expect fonts to come from. But, yes, it's a fairly complex topic that I can't begin to answer all of the questions for
(11-25-2019, 11:17 PM)ttwist Wrote:(10-12-2018, 11:52 AM)frankenestain Wrote: There's no app.php in config ! Yeah, CI 3 does not have built-in support for Content Security Policy (CSP), but CSP is just HTTP header. 1. You are able to publish any HTTP headers in any version of CodeIgniter by use $response->setHeader() method: Code: $this->response->setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inine';"); 2. If you are not looking for easy ways and wish to have some convenience of CSP setup, it's possible to import class ContentSecurityPolicy.php from CI4 to CI3. You just need to change some PHP7 constructs like: PHP Code: $explicitReporting ?? $this->reportOnly PHP Code: is_null($explicitReporting) ? $this->reportOnly : $explicitReporting Anyway you need to modify class ContentSecurityPolicy.php even if you use CI4 - this class is oriented outdated Content Security Policy level 2 spec,, therefore it does not support a lot of CSP3 directives and tokens. (11-23-2020, 09:29 AM)egranty Wrote:(11-25-2019, 11:17 PM)ttwist Wrote:(10-12-2018, 11:52 AM)frankenestain Wrote: There's no app.php in config ! Hello, thanks for your reply. Any idea how to add a nonce attribute to all <script> elements in CI3? Easy way? Thanks! |
Welcome Guest, Not a member yet? Register Sign In |