From 336d06b2a8ca75362578b1d67ea1f32a45c8edd3 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Mon, 2 Jan 2023 15:21:19 +0000 Subject: [PATCH] Significantly tighten HTTP CSP --- CHANGELOG.md | 1 + lib/pleroma/web/plugs/http_security_plug.ex | 15 +++++---------- .../pleroma/web/plugs/http_security_plug_test.exs | 2 +- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee3c28858..8e638bdd8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Quote posts are now considered as part of the same thread as the post they are quoting - Simplified HTTP signature processing - Rich media will now hard-exit after 5 seconds, to prevent timeline hangs +- HTTP Content Security Policy is now far more strict to prevent any potential XSS/CSS leakages ### Fixed - /api/v1/accounts/lookup will now respect restrict\_unauthenticated diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 5f0b775be..b1f1ada94 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -106,20 +106,15 @@ defp csp_string(conn) do connect_src = if Config.get([:media_proxy, :enabled]) do sources = build_csp_multimedia_source_list() - ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources] + ["connect-src 'self' ", static_url, ?\s, websocket_url, ?\s, sources] else - ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] + ["connect-src 'self' ", static_url, ?\s, websocket_url] end - style_src = "style-src 'self' 'unsafe-inline'" - font_src = "font-src 'self' data:" + style_src = "style-src 'self' '#{nonce_tag}'" + font_src = "font-src 'self'" - script_src = - if Config.get(:env) == :dev do - "script-src 'self' 'unsafe-eval' '#{nonce_tag}'" - else - "script-src 'self' '#{nonce_tag}'" - end + script_src = "script-src 'self' '#{nonce_tag}'" report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"] insecure = if scheme == "https", do: "upgrade-insecure-requests" diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs index d6d841078..d88d4624f 100644 --- a/test/pleroma/web/plugs/http_security_plug_test.exs +++ b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -140,7 +140,7 @@ defp assert_media_img_src(conn, url) do defp assert_connect_src(conn, url) do conn = get(conn, "/api/v1/instance") [csp] = Conn.get_resp_header(conn, "content-security-policy") - assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/ + assert csp =~ ~r/connect-src 'self' [^;]+ #{url}/ end test "it does not send CSP headers when disabled", %{conn: conn} do