1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Content Security Policy (CSP)

Discussion in 'XenForo Suggestions' started by rugk, Jun 29, 2015.

  1. rugk

    rugk Active Member

    As XenForo was built with "security in mind" I assume you want to secure or make it possible for server admins to secure their website. A great way to do this is Content Security Policy. However XenForo has some issues which make it difficult to use this in a strong way.

    Basic facts
    All test were executed with XenForo 1.4 on Apache. Javascript test were executed in Firefox 38.0.5.

    What is Content Security Policy?
    Content Security Policy can be accomplished with a simple HTTP header send by the webserver. It's basically a bunch of rules for the webbrowser, which prevent XSS attacks. And that XenForo is immune to XSS attacks is of course not the case as we can see at the latest update. And no I don't want to blame anyone - this can happen and happens in every forum software at a particular time. The point is that the CSP header can effectively prevent such attacks.

    More information:

    What is the problem?

    The problem is that XenForo uses at some points Javascript code in a way, which should be disallowed by a CSP to make the protection as effective as possible.
    I hope the details explain this more clearly.
    1. Get rid of inline scripts & styles
      The first - quite big - problem is that XenForo uses at various points JS embedded into HTML code. This may be easy for developing, but because of this I have to adjust the CSP (add 'unsafe-inline') and with this modification it won't prevent the biggest threat of XSS - inline script injection.
      As you maybe have to change many parts of XenForo this may not be easy to do, but maybe it's an idea for XenForo v2. :)
      As Mike West writes in the already linked HTML5Rocks blog:
      As for inline-styles (CSS) I did not find any one used in XenForo actually. And that's great! :)
    2. Get rid of eval
      Eval is evil. This is widely known and therefore it is (like inline-scripts) by default disallowed with CSP.
      But in XenForo I only found 2 files which are using eval:
      1. The jQuery file under /js/jquery/jquery-1.11.0.min.js uses eval in line 2. Here you maybe just have to use another jQuery (version) or something like this.
        For the user this jQuery file (and it's eval part) seems to be only used if you view the recent activity on a users profile page.
      2. And also one javascript for the flash uploader uses eval: /js/swfupload/swfupload.min.js :(
    If this is solved then we would have the possibility to use a robust CSP header, which disallows inline-javascript and eval, so that XSS attacks can be defended.

    Other things
    Another block is quite interesting. We currently use a CSP header which does not allow 'self' for font-src as we did not saw any fonts loaded from anywhere on the forum. Currently we use the default XenForo style.
    However we sometimes see reports from some fonts which were tried to be loaded.
    E.g. on our start page some browsers tried to load /fonts/KievitWebPro-Light.woff. This is especially interesting as the dir 'fonts' doesn't exists at all in XenForo.
    We could not reproduce this report.
    Does somebody has an idea why/where/at which action this font is loaded?
     
    Last edited: Jun 29, 2015
    Divvens, melbo, Joe Link and 5 others like this.
  2. Mike

    Mike XenForo Developer Staff Member

    The font issue is probably related to a user browser add-on. Those often modify the DOM to change behaviors.
     
  3. rugk

    rugk Active Member

    Yes this could of course be and I at first assumed the same. However it is not that likely, because at first the "source-file" is not something like extension://, but our normal homepage address. Secondly it's always the same font on the same URL, so if it would really be an add-on it have to be the same add-on and thirdly: Why would an add-on load a font from our homepage? I would understand it if the font came from http://fonthoster.myfantasticaddon.com or any local resource, but from our own site?
     
  4. Mike

    Mike XenForo Developer Staff Member

    If it's modifying the DOM, then it may appear to actually be from the source. I have seen that happen before. I've actually seen things like this show up in the DOM explorer.

    However, if you're able to determine this, you presumably can reproduce it, so you should be able to search the source and dive into the reference to find where it's coming from. You may also want to confirm with all browser extensions disabled (and/or confirm it with another browser).
     
  5. rugk

    rugk Active Member

    Well, it's exactly the problem that I cannot reproduce it. Why I can determinate it has another reason.
    What I did not described in detail was that CSP has another nice feature: With an report-uri in the header you can get reports from browsers where the CSP is violated. This way you can even detect XSS attacks - or such stupid errors, which seems to occur. But because of this I don't even know which browser they used (okay it have to be a browser, which supports CSP and the reporting feature, but nothing more).
    This is why I said I can't reproduce it - I only know that it appears.
     
  6. rugk

    rugk Active Member

    I have to correct myself: You also use inline-styles, so this would have to be adjusted too.
     
  7. rugk

    rugk Active Member

    And what about the first part: What do you think about making XenForo compatible with CSP?
    Or should I have better posted it in XenForo Suggestions? If so it would be nice if an admin can move it there.
     
  8. Mike

    Mike XenForo Developer Staff Member

    It would be more of a suggestion.
     
    Mouth likes this.
  9. rugk

    rugk Active Member

    Okay, thanks for moving it. :)
     
    Mouth likes this.
  10. Mouth

    Mouth Well-Known Member

    This would be a great addition to XF security, and a good selling point.
     
    adwade and rugk like this.
  11. adwade

    adwade Active Member

    rugk likes this.
  12. Fred.

    Fred. Well-Known Member

    Looks like I missed this one.
    Just came across this on the net and found this thread.
    Another vote from me. :)
     
    Mouth, rugk and adwade like this.
  13. Joe Link

    Joe Link Well-Known Member

    Watching this thread :)
     
  14. rugk

    rugk Active Member

    What about liking it too? :D
     
    Mouth and Joe Link like this.
  15. Joe Link

    Joe Link Well-Known Member

    Done!
     
    rugk and Mouth like this.

Share This Page