View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
12569Feature requestsSecuritypublic2017-08-04 12:362021-03-08 19:44
Reporteruser99009Assigned Toc_schmitz  
PrioritynoneSeverity@60@ 
Status closedResolutionwon't fix 
Summary12569: Content-Security-Policy (CSP) HTTP response header absent
Description

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP . This header can potentially disarm a range of client-side attacks.

A manual nginx setting
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; font-src 'self'; child-src 'self'; frame-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; block-all-mixed-content; script-src 'self' 'unsafe-inline';";
seems to work. But since that isn't informed or maintained by the LimeSurvey developers, it is suboptimal and prone to breakage.

TagsNo tags attached.
Bug heat254
Story point estimate
Users affected %

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2017-10-06 16:24

administrator   ~44548

I don't currently see how the average user would be able to handle that.
The CSP header can be limitless complex. See http://cspisawesome.com/ for a try at a wizard.

I don't see an easy way to implement that right now. So what do you suggest?
Rudloff

Rudloff

2018-03-14 15:57

reporter   ~47041

It is indeed a good practice to return a Content-Security-Policy header as it prevents different types of XSS attacks.

IMHO you have two way of implementing this:

  • Add a setting page allowing the user to tweak the policy.
  • Use a very generic policy that could work almost everywhere.

Here is what we use on our server:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-ancestors http:; img-src 'self'

Here is what it means:

  • By default only allow resources from the same domain.
  • Allow scripts from the same domain, from inline scripts or from eval().
  • Don't allow objects and embeds.
  • Only allow styles from the same domain or from inline styles.
  • Allow forms to be included in iframes from any domain over HTTP(S).
  • Only allow images from the same domain.

(The last one could be made less strict if people need to include images from other domains.)

Allowing inline scripts and eval is not very secure but disallowing them breaks some parts of LimeSurvey :/

It's also a good idea to define the following headers:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
c_schmitz

c_schmitz

2021-03-08 19:44

administrator   ~62904

This won't be implemented as we consider this to be a server-side setting.

Issue History

Date Modified Username Field Change
2017-08-04 12:36 user99009 New Issue
2017-10-06 16:24 c_schmitz Assigned To => c_schmitz
2017-10-06 16:24 c_schmitz Status new => feedback
2017-10-06 16:24 c_schmitz Note Added: 44548
2018-02-15 12:18 c_schmitz Project Bug reports => Feature requests
2018-03-14 15:57 Rudloff Note Added: 47041
2021-03-08 19:44 c_schmitz Status feedback => closed
2021-03-08 19:44 c_schmitz Resolution open => won't fix
2021-03-08 19:44 c_schmitz Note Added: 62904