View Issue Details

IDProjectCategoryView StatusLast Update
12569Feature requests[All Projects] Securitypublic2018-03-14 15:57
Reporteruser99009Assigned Toc_schmitz  
PrioritynoneSeverity@60@ 
Status feedbackResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary12569: Content-Security-Policy (CSP) HTTP response header absent
Description

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP . This header can potentially disarm a range of client-side attacks.

A manual nginx setting
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; font-src 'self'; child-src 'self'; frame-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; block-all-mixed-content; script-src 'self' 'unsafe-inline';";
seems to work. But since that isn't informed or maintained by the LimeSurvey developers, it is suboptimal and prone to breakage.

TagsNo tags attached.

Activities

c_schmitz

c_schmitz

2017-10-06 16:24

administrator   ~44548

I don't currently see how the average user would be able to handle that.
The CSP header can be limitless complex. See http://cspisawesome.com/ for a try at a wizard.

I don't see an easy way to implement that right now. So what do you suggest?

Rudloff

Rudloff

2018-03-14 15:57

reporter   ~47041

It is indeed a good practice to return a Content-Security-Policy header as it prevents different types of XSS attacks.

IMHO you have two way of implementing this:

  • Add a setting page allowing the user to tweak the policy.
  • Use a very generic policy that could work almost everywhere.

Here is what we use on our server:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; frame-ancestors http:; img-src 'self'

Here is what it means:

  • By default only allow resources from the same domain.
  • Allow scripts from the same domain, from inline scripts or from eval().
  • Don't allow objects and embeds.
  • Only allow styles from the same domain or from inline styles.
  • Allow forms to be included in iframes from any domain over HTTP(S).
  • Only allow images from the same domain.

(The last one could be made less strict if people need to include images from other domains.)

Allowing inline scripts and eval is not very secure but disallowing them breaks some parts of LimeSurvey :/

It's also a good idea to define the following headers:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

Issue History

Date Modified Username Field Change
2017-08-04 12:36 user99009 New Issue
2017-10-06 16:24 c_schmitz Assigned To => c_schmitz
2017-10-06 16:24 c_schmitz Status new => feedback
2017-10-06 16:24 c_schmitz Note Added: 44548
2018-02-15 12:18 c_schmitz Project Bug reports => Feature requests
2018-03-14 15:57 Rudloff Note Added: 47041