Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing security headers on demo1 #516

Closed
baszoetekouw opened this issue May 8, 2024 · 9 comments · Fixed by #530 or #540
Closed

missing security headers on demo1 #516

baszoetekouw opened this issue May 8, 2024 · 9 comments · Fixed by #530 or #540
Milestone
v36

Comments

@baszoetekouw
Copy link
Member

baszoetekouw commented May 8, 2024
edited by FlorisFokkinga
Loading

Tasks
Preview Give feedback
No tasks being tracked yet.
@FlorisFokkinga FlorisFokkinga moved this from New to Todo in SRAM development May 17, 2024
@baszoetekouw baszoetekouw assigned mrvanes and unassigned baszoetekouw Jun 28, 2024
@mrvanes mrvanes linked a pull request Jul 1, 2024 that will close this issue
Fix demo1 weak TLS config #530
Merged
@mrvanes
Copy link
Contributor

mrvanes commented Jul 1, 2024

The CSP headers break Etherpad and Worpdress, so don't merge yet!

@mrvanes mrvanes moved this from Todo to In progress in SRAM development Jul 1, 2024
@sram-project-automation sram-project-automation bot moved this from In progress to To be tested in SRAM development Jul 2, 2024
@baszoetekouw baszoetekouw added this to the v35 milestone Aug 6, 2024
@baszoetekouw
Copy link
Member Author

@mrvanes what is the status of this? I see I've already merged the PR, but apparently I shouldn't have?

@baszoetekouw baszoetekouw reopened this Aug 8, 2024
@github-project-automation github-project-automation bot moved this from To be tested to New in SRAM development Aug 8, 2024
@baszoetekouw baszoetekouw moved this from New to In progress in SRAM development Aug 8, 2024
@baszoetekouw baszoetekouw removed this from the v35 milestone Aug 8, 2024
@mrvanes
Copy link
Contributor

mrvanes commented Aug 8, 2024

The CSP requirements and Etherpad/Wordpress can not be fullfilled at the same time I'm affraid

@baszoetekouw
Copy link
Member Author

ok, laten we voor WP en etherpad relactere CSP headers gebruiken dan.

@mrvanes
Copy link
Contributor

mrvanes commented Aug 8, 2024

En dat betekent dus geen CSP headers voor de hele demo1 momenteel. Dan mag je die merge ook terugdraaien.

@baszoetekouw
Copy link
Member Author

Relaxte CSP headers zijn nog steeds beter dan geen, wat mij betreft.

@mrvanes
Copy link
Contributor

mrvanes commented Aug 8, 2024

Eens, maar met mijn beperkte kennis van zaken is het me niet gelukt een setje te confabuleren dat werkt en EP en WP delen de CSP headers omdat het dezelde virtualhost is.

@mrvanes
Copy link
Contributor

mrvanes commented Aug 9, 2024

Met deze CSP:

Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.sram.surf.nl; frame-ancestors 'none'; block-all-mixed-content;"

Etherpad barks:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-13Xtc89MSfsDPErm3syFx70NQqw9DB0exK2LYLR9Bes='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Op 3 plekken

Wordpress barks:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-9lQoa6DxL3CLBHO/ruChS5qnmwmTp5M9Df4S5UOH97k='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-qakqfo0k3q+bzf4QOzmMxUPbAYdakC3HWGmfOL/BUC4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the stylesheet 'http://demo1.sram.surf.nl/wp/wp-includes/blocks/navigation/style.min.css/?ver=6.4.3' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Op tientallen plekken.

Heb je goeie ideeen voor minder strakke CSP?

@mrvanes mrvanes linked a pull request Aug 13, 2024 that will close this issue
Revert demo1 CSP headers #540
Merged
@baszoetekouw
Copy link
Member Author

works.

@baszoetekouw baszoetekouw moved this from To be tested to To be deployed in SRAM development Sep 10, 2024
@logan-life logan-life added this to the v36 milestone Sep 10, 2024
@sram-deploy-tools-automation sram-deploy-tools-automation bot moved this from To be deployed to Done in SRAM development Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
SRAM development
Archived in project
Milestone
v36
Development

Successfully merging a pull request may close this issue.

Fix demo1 weak TLS config SURFscz/SRAM-deploy
Revert demo1 CSP headers SURFscz/SRAM-deploy
3 participants
@baszoetekouw @mrvanes @logan-life