andrewmarkham / contentsecuritypolicy Goto Github PK

...; report-to ; is wrong.

Expected

Reporting-Endpoints: main-endpoint="https://reports.example/main", default="https://reports.example/default"

# Content-Security-Policy violations and Document-Policy violations
# will be sent to main-endpoint
Content-Security-Policy: script-src 'self'; object-src 'none'; report-to main-endpoint;
Document-Policy: document-write=?0; report-to=main-endpoint;
# Deprecation reports don't need an explicit endpoint because
# these reports are always sent to the `default` endpoint

See
https://developer.chrome.com/articles/reporting-api/

I am not sure if this is just a specific version of 2.3.0.285 or after it was upgraged, but when editing a content security policy, the original value is not prepopulated when clicking on a policy to edit.

To reproduce. Add a host value to style-src, save it and then try to edit, it appears the other fields are populated with the original values you saved, but hosts are not.

In configuration files, support enum names aswell as enum values

This applies to latest version (1.4.0) and on Optimizely CMS 12 (12.13.2)

When entering text in the host field, invalid characters are not stripped out and this causes a 500 error on all pages of the webite - so effectively brings the site down.

Steps to repoduce:

1. On the "Security Page" in the CMS, edit any src field in the policy (e.g. frame-src)
2. In the edit overlay, enter "abc.com" followed by a carriage return, then enter "def.com" in the "Host Source" text box at the bottom of the form
3. Click "Ok" to save the entry

Now all pages throw a 500 error for invalid char in headers.
To remedy, you have to go into DB and manually edit row in tblBigTable to fix as changing it back via the UI doesn't work.

Restrict access to the admin plugin

• Must be authenticated
• Must have role ???

Not all policies have the same options, update the user interface so that only the correct options are shown for a policy

Hi!! Nice plugin, well done!

every now and then, havnt found any regularity, but i get this error. Sometime at startup on server.

2023-01-21T10:45:43.296944600Z       Failed to determine the https port for redirect.

2023-01-21T10:45:44.649420047Z warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]

2023-01-21T10:45:44.649526247Z       Failed to determine the https port for redirect.

2023-01-21T10:45:44.936669894Z fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]

2023-01-21T10:45:44.936753194Z       An unhandled exception has occurred while executing the request.

2023-01-21T10:45:44.936759594Z       System.ArgumentException: An item with the same key has already been added. Key: Content-Security-Policy

2023-01-21T10:45:44.943094793Z          at System.Collections.Generic.Dictionary`2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)

2023-01-21T10:45:44.943128892Z          at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)

2023-01-21T10:45:44.943145092Z          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseHeaders.AddValueUnknown(String key, StringValues value)

2023-01-21T10:45:44.943150992Z          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseHeaders.AddValueFast(String key, StringValues value)

2023-01-21T10:45:44.953722491Z          at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpHeaders.System.Collections.Generic.IDictionary<System.String,Microsoft.Extensions.Primitives.StringValues>.Add(String key, StringValues value)

2023-01-21T10:45:44.954517890Z          at Jhoose.Security.Services.JhooseSecurityService.AddContentSecurityPolicy(HttpResponse response)

2023-01-21T10:45:44.954534790Z          at Jhoose.Security.Middleware.ContentSecurityPolicyMiddleware.InvokeAsync(HttpContext context, IJhooseSecurityService securityService)`

I dont seem to reproduce this in development.

What about having a check if header already added? or try n catch and log error?

Suggestion: if (context.Request.Headers.ContainsKey("Content-Security-Policy")) => add CSP

I do have this in startup ...

app.Use(async (context, next) =>
            {
                //if (context.Response.Headers.All(x => x.Key != "Permissions-Policy"))
                    context.Response.Headers.Add("Permissions-Policy", new[] { "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" });

                    await next();
}

<ItemGroup>
		<PackageReference Include="Advanced.CMS.GroupingHeader" Version="2.0.0" />
		<PackageReference Include="Epicweb.Optimizely.RedirectManager" Version="6.0.0" />
		<PackageReference Include="AspNetCore.SassCompiler" Version="1.55.0" />
		<PackageReference Include="Baaijte.Optimizely.ImageSharp.Web" Version="2.1.1" />
		<PackageReference Include="Epicweb.Optimizely.QuickNavExtension" Version="6.0.0.0" />
		<PackageReference Include="EPiServer.CMS" Version="12.13.1" />
		<PackageReference Include="EPiServer.CMS.AspNetCore" Version="12.9.3" />
		<PackageReference Include="EPiServer.CMS.AspNetCore.HtmlHelpers" Version="12.9.3" />
		<PackageReference Include="EPiServer.CMS.TinyMce" Version="3.3.1" />
		<PackageReference Include="EPiServer.CMS.UI" Version="12.13.1" />
		<PackageReference Include="EPiServer.CMS.UI.AspNetIdentity" Version="12.13.1" />
		<PackageReference Include="EPiServer.CMS.UI.Core" Version="12.13.1" />
		<PackageReference Include="EPiServer.CMS.UI.Settings" Version="12.13.1" />
		<PackageReference Include="EPiServer.Framework" Version="12.9.3" />
		<PackageReference Include="EPiServer.Framework.AspNetCore" Version="12.9.3" />
		<PackageReference Include="EPiServer.Hosting" Version="12.9.3" />
		<PackageReference Include="Geta.Optimizely.ContentTypeIcons" Version="2.0.2" />
		<PackageReference Include="HtmlAgilityPack" Version="1.11.46" />
		<PackageReference Include="Jhoose.Security.Admin" Version="1.4.0.176" />
		<PackageReference Include="LigerShark.WebOptimizer.Core" Version="3.0.372" />
		<PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="6.0.10" />
		<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="6.0.10" />
		<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="6.0.10">
			<PrivateAssets>all</PrivateAssets>
			<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
		</PackageReference>
		<PackageReference Include="PictureRenderer.Optimizely" Version="2.4.0" />
		<PackageReference Include="Schema.NET" Version="11.0.1" />
		<PackageReference Include="Serilog" Version="2.12.0" />
		<PackageReference Include="Serilog.Extensions.Hosting" Version="5.0.1" />
		<PackageReference Include="Serilog.Sinks.File" Version="5.0.1-dev-00947" />
		<PackageReference Include="SixLabors.ImageSharp.Web" Version="2.0.2" />
	</ItemGroup>

The following were missing from the main Jhoose initialization extension.

services.AddJhooseSecurityCoreReporting();
applicationBuilder.UseJhooseSecurityReporting();

Interface to manage the OWASP headers

• Need to consider how to manage the settings in the UX and also in the config.

Hi,

I'm seeing this error for an inline script tag

"Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ''nonce-74e1441e-1985-44d1-8d57-676b6ca3273e''". Either the 'unsafe-inline' keyword, a hash ('sha256-nxUK0e7dsIKkkKXtZnnZ5fL3g1FSxV6g5v3Wi2aal4Y='), or a nonce ('nonce-...') is required to enable inline execution."

CSP Headers returned:

content-security-policy: script-src 'self' ''nonce-74e1441e-1985-44d1-8d57-676b6ca3273e'' ; report-uri https://localhost:44361/api/csp/violations; report-to https://localhost:44361/api/csp/violations;

Inline script tag:

I'm getting alot of console errors from the Jhoose.Security scripts in the admin view, and it's displaying a blank page:

I can see in the Network tab that the fetching from /EPiServer/Jhoose.Security/jhoosesecurityadmin and csp-app.js is OK and also the call to /api/csp and /api/csp/settings. But still something is clearly missing due to the errors. I'm using Episerver 12.17.1 and Jhoose.Security.Admin 1.5.2.235

HI Andrew,

I have installed this, must say really like this :)

I am getting an error logged, I wonder if you have seen it previously.

2022-06-16T14:20:10,Error,,3aa17f,637909860100312142,0,1060,90,"EPiServer.Global : Unhandled exception in ASP.NET
System.Web.HttpException (0x80004005): Server cannot append header after HTTP headers have been sent.
   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
   at Jhoose.Security.Services.JhooseSecurityService.AddContentSecurityPolicy(HttpResponse response)
   at Jhoose.Security.HttpModules.JhooseSecurityModule.Context_EndRequest(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.<>c__DisplayClass285_0.b__0()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)",

V1.2.2 Epi 11

Tim H

Hi Andy

Version: Jhoose.Security.Admin 1.5.2.235
None of the saved settings are populating in the UI when you hit the settings page directly (/EPiServer/Jhoose.Security/jhoosesecurityadmin#/csp/settings).
For example, the "mode" is defaulting to "on". It appears to be displaying the initial state:
settings: { mode: "on", reportingUrl: "" }

Toggling between "Policy" and "Settings" in the nav displays the correct settings.

Cheers
Jeremy

When updating the response headers the cache isn't cleared.

Trying to improve my Optimizely Blog site and using this swedish service for security scaning. 

https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Foptimizely.blog

Missing Preload eg: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"

Suggestion:
"StrictTransportSecurity": {
  "MaxAge": 31536000,
  "IncludeSubDomains": true, 
  "preload":  true
},

Meanwhile, how do i disable StrictTransportSecurity from your plugin? 

Ability to set exclusion paths

• via json config file
• via options object.

I've deployed to a Linux instance on DXP, when trying to load the Security page I get a 404 on the "clientresources/csp-app.js".

Regardless of the global serialization settings, the module should always user camel case naming.

Ability to globally turn the policy on, off or report only mode.
Ability to set a single policy into report only mode.

Hi,

I've recently installed this package in the Optimizely 12 project, it is really great stuff.

I am seeing a small bug in the admin dashboard, a console error regarding the navigation.bundle.js file.

It looks like Optimizely tries to fetch notifications but gets the 400 HTTP response. I've made a quick investigation and probably the @Html.AntiForgeryToken() is missing from JhooseSecurityAdmin/index.cshtml file. I've tried it locally and added a token next to @Html.Raw(Html.CreatePlatformNavigationMenu()) line which seems to fix the issue.

Support these so that we don't need to add hash's, need to look at overriding

@Html.RequiredClientResources(""); - Add in the nonce

The initialization module is setting global JSON serializer settings and forcing camel case properties in JSON responses throughout any application which references Jhoose.

• Data written to 3rd party

This plugin seems to add headers without checking if they already exist. Therefore errors are thrown if the pipeline is rerun. In our solution we are using in startup.cs to redirect server side to custom error pages:

app.UseStatusCodePagesWithReExecute("/statuscode/{0}");

This causes this plugin to try to add the headers again but they are already there.

There may be other scenarios where the headers might already be set by some other middleware so this plugin should set or add the headers rathen than try to add them without checking if they exist first.

Used for websockets.

Meanwhile you can add wss: in host source

This can be used by headless sites.
Must be secure

https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy

• Add header to the response.
• Add an interface to manage the header and the policies.

Import / Export settings - Allows easy transfer between environments
Ability to choose between csp / headers / global settings

Trying to improve my Optimizely Blog site and using this Swedish service for security scanning.

https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Foptimizely.blog

missing form-action i UI

Restricts where

Hi, is there any way to make Jhoose Security support ReadOnly mode? Or turn it off when that is on.
I get the below error on startup.
I could manually exclude it in my solution but it's a lot of exclusions throughout the codebase, there must be a better way.

Database writes are blocked since the application is set to ReadOnly mode. ReadOnly mode is set either by the 'databaseMode' attribute on the 'episerver.dataStore' section or by the 'episerver:DatabaseMode' setting under the 'appSettings' section.
at EPiServer.Data.Providers.Internal.ReadOnlySqlDatabaseExecutor.ExecuteTransaction(Action action)
at EPiServer.Data.Dynamic.StoreDefinition.<>c__DisplayClass86_0.b__0()
at EPiServer.Data.Cache.Internal.LocalCache2.Add(TKey key, Boolean cacheNullValues, Boolean overwriteExistingValue, Func1 getAction, Action`2 setAction)
at EPiServer.Data.Dynamic.StoreDefinition.CommitChanges(DataStoreProvider provider)
at Jhoose.Security.Repository.StandardCspPolicyRepository.RemapT
at Jhoose.Security.Repository.StandardCspPolicyRepository.Bootstrap()
at System.Threading.Tasks.Task.InnerInvoke()
at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
at Microsoft.Extensions.Hosting.Internal.Host.d__12.MoveNext()
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.d__4.MoveNext()
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.d__4.MoveNext()
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
at XXX.Web.Program.Main(String[] args) in C:.....\Program.cs:line 20

Turn on Readonly db mode:
"EpiServer": {
"Cms": {
"DataAccess": {
"DatabaseMode": "ReadOnly"
}
}
}

Upgraded new version of the Security item and the following error occurs.
2024-08-08T01:07:46.9403819Z The property ReportingMode exists on both the old and new definitions but does not have the same type and converting a value caused an exception in the provider. 2024-08-08T01:07:46.9403917Z Invalid column name 'ReportingMode'. 2024-08-08T01:07:46.940403Z Invalid column name 'ReportingMode'. 2024-08-08T01:07:46.9404119Z at EPiServer.Data.Dynamic.StoreDefinition.TryMoveDataToUpdatingProperties(List1 updatingProperties, IList1 newMappings, StoreDefinitionParameters parameters, Boolean moveDataForRenamedProperties) 2024-08-08T01:07:46.9404226Z at EPiServer.Data.Dynamic.StoreDefinition.Remap(IDictionary2 typeBag, StoreDefinitionParameters parameters)
2024-08-08T01:07:46.9404314Z at EPiServer.Data.Dynamic.StoreDefinition.Remap(Type type)
2024-08-08T01:07:46.9404413Z at Jhoose.Security.Repository.StandardCspPolicyRepository.RemapT
2024-08-08T01:07:46.940449Z at Jhoose.Security.Repository.StandardCspPolicyRepository.Bootstrap()
2024-08-08T01:07:46.9404567Z at Jhoose.Security.Core.Provider.StandardCspProvider.Initialize()
2024-08-08T01:07:46.9404665Z at Jhoose.Security.DependencyInjection.InitialiseHostedService.b__2_0()`

Not sure where this would be coming from

Either the 'unsafe-inline' keyword, a hash ('sha256-2pybZGheokqZHQXNgnlqo2tjXbzF9LWL4Dlvo4UYYfY='), or a nonce ('nonce-...') is required to enable inline execution.

script-src 'sha256-abc123'

Workaround
Can be added in the 'host source' section

Ability to set custom access rights to access the module.