Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy (CSP) #1122

Open
likehopper opened this issue Feb 23, 2021 · 4 comments · May be fixed by #1580
Open

Content Security Policy (CSP) #1122

likehopper opened this issue Feb 23, 2021 · 4 comments · May be fixed by #1580
Labels
enhancement security

Comments

@likehopper
Copy link

The security requirements of web servers are increasing. From now it's recommended to have a "Content-Security-Policy" rule. And generally, it prohibits the execution of inline scripts (unsafe-inline).

However, in Sympa's pages, we have an innline script generated dynamically. And that prevents the menu from working.

For example these include:

        <!-- head_javascript.tt2 -->

	<script>
	<!--
	var sympa = {
	    backText:           'Retour',
	    calendarButtonText: 'Calendrier',
	    calendarFirstDay:   0,
	    closeText:          'Fermer',
	    dayNames:           'Lundi:Mardi:Mercredi:Jeudi:Vendredi:Samedi:Dimanche'.split(":"),
	    dayNamesMin:        'D:L:M:M:J:V:S'.split(":"),
	    home_url:           '/sympa/',
	    icon	s_url:          '/static-sympa/icons',
	    lang:               'fr',
	    loadingText:        'Veuillez patienter...',
	    monthNamesShort:    'Jan:Fév:Mar:Avr:Mai:Jui:Juil:Aoû:Sep:Oct:Nov:Déc'.split(":"),
	    openInNewWinText:   'Ouvrir dans une nouvelle fenêtre',
	    resetText:          'Effacer'
	};
	var lang = 'fr';
	//-->
	</script>

Could you change it to call it from an external file?

Thanks,
Vincent
@ikedas
Copy link
Member

ikedas commented Feb 24, 2021

There seem some more things to be prohibited by CSP:

  • "onclick" event handler in HTML: compose_mail.tt2, request_topic.tt2 and viewmod.tt2.
  • inline javascript for email obfuscation generated by setting spam_protection and/or web_archive_spam_protection parameter as javascript.

@likehopper
Copy link
Author

Has the code been updated ?

@ikedas
Copy link
Member

ikedas commented Nov 24, 2022

How can we resolve the points I mentioned?

ikedas added a commit to ikedas/sympa that referenced this issue Jan 15, 2023
@ikedas
WWSympa: Add CSP nonce-source to inline script (sympa-community#1122)
384da03
@ikedas ikedas linked a pull request Jan 15, 2023 that will close this issue
Draft
4 tasks
ikedas added a commit to ikedas/sympa that referenced this issue Jan 15, 2023
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
3408d9e 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Jan 15, 2023
@ikedas
Add CSP nonce-source to the other inline scripts (sympa-community#1122)
1f8313d
ikedas added a commit to ikedas/sympa that referenced this issue Jan 15, 2023
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
2a8a696 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Jan 18, 2023
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
523bb71 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Jan 18, 2023
@ikedas
Avoid inline scripting for onclick handler (sympa-community#1122)
0f66916
@ikedas
Copy link
Member

ikedas commented Jan 18, 2023
edited
Loading

Hi @likehopper ,
Could you please apply the changes in PR above and check if the problem will be fixed?

ikedas added a commit to ikedas/sympa that referenced this issue Mar 8, 2023
@ikedas
WWSympa: Add CSP nonce-source to inline script (sympa-community#1122)
8d3ef4c
ikedas added a commit to ikedas/sympa that referenced this issue Mar 8, 2023
@ikedas
Add CSP nonce-source to the other inline scripts (sympa-community#1122)
9d8932f
ikedas added a commit to ikedas/sympa that referenced this issue Mar 8, 2023
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
9ffeea9 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Mar 8, 2023
@ikedas
Avoid inline scripting for onclick handler (sympa-community#1122)
3526a3f
ikedas added a commit to ikedas/sympa that referenced this issue Apr 21, 2023
@ikedas
WWSympa: Add CSP nonce-source to inline script (sympa-community#1122)
6691c58
ikedas added a commit to ikedas/sympa that referenced this issue Apr 21, 2023
@ikedas
Add CSP nonce-source to the other inline scripts (sympa-community#1122)
b3c9459
ikedas added a commit to ikedas/sympa that referenced this issue Apr 21, 2023
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
163294e 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Apr 21, 2023
@ikedas
Avoid inline scripting for onclick handler (sympa-community#1122)
d8c48af
ikedas added a commit to ikedas/sympa that referenced this issue Apr 24, 2023
@ikedas
Avoid inline scripting for onclick handler (sympa-community#1122)
c72254e
ikedas added a commit to ikedas/sympa that referenced this issue Jan 7, 2024
@ikedas
WWSympa: Add CSP nonce-source to inline script (sympa-community#1122)
1feeb59
ikedas added a commit to ikedas/sympa that referenced this issue Jan 7, 2024
@ikedas
Add CSP nonce-source to the other inline scripts (sympa-community#1122)
42b8f44
ikedas added a commit to ikedas/sympa that referenced this issue Jan 7, 2024
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
a56e4c6 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Jan 7, 2024
@ikedas
Avoid inline scripting for onclick handler (sympa-community#1122)
4e1ea6f
ikedas added a commit to ikedas/sympa that referenced this issue Aug 25, 2024
@ikedas
WWSympa: Add CSP nonce-source to inline script (sympa-community#1122)
6f2079d
ikedas added a commit to ikedas/sympa that referenced this issue Aug 25, 2024
@ikedas
Add CSP nonce-source to the other inline scripts (sympa-community#1122)
a6b5c49
ikedas added a commit to ikedas/sympa that referenced this issue Aug 25, 2024
@ikedas
Avoid inline scripting for "javascript" email obfuscation method (sym…
30b929e 
…pa-community#1122)
ikedas added a commit to ikedas/sympa that referenced this issue Aug 25, 2024
@ikedas
Avoid inline scripting for onclick handler (sympa-community#1122)
2cefae9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WWSympa: Apply Content Security Policy on scripts (#1122) ikedas/sympa
2 participants
@ikedas @likehopper