Content Security Policy (CSP) conformance

[tomreyn]

Hi,

I'd like to suggest that future versions of SMF (its default theme) should become fully conformant with a restrictive Content Security Policy, and that instructions to apply a simple CSP should be provided. CSP is a new (and thorough) way of preventing cross site scripting (XSS) and related attacks. It is now becoming a W3C standard and is already implemented in Chromium / Chrome and will soon be supported by Firefox (which currently supports a subset by means of an X-header), too.

Some resources to read up on it:
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
https://developer.chrome.com/extensions/contentSecurityPolicy.html
http://developer.chrome.com/apps/app_csp.html
https://developer.mozilla.org/en-US/docs/Security/CSP/Using_Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Security/CSP/CSP_policy_directives
http://people.mozilla.com/~bsterne/content-security-policy/

We're now applying a rather lax CSP on https://forum.megaglest.org (as can be inspected at web-sniffer.net):

Code Select Expand

Content-Security-Policy: default-src 'self' megaglest.org *.megaglest.org; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src *

At this time, using SMF 2.0.4, we sadly have to make use of unsafe-inline and unsafe-eval. The former is currently necessary to make, for example, the rich-text editor work, while the latter is required for the global javascript setTimeout function (I'm not sure what this does exactly, but it's probably related to session lifetime or "who is online").

This web page nicely explains how to get around these issues:
https://developer.chrome.com/extensions/contentSecurityPolicy.html

Cmopliance testing is easy when you either use your web browsers' error console while accessing the web application (SMF), or, to get reports from other users, too, use violation reporting:
https://developer.mozilla.org/en-US/docs/Security/CSP/Using_CSP_violation_reports

Thanks for considering.

[Arantor]

Bad idea from the get-go.

A lot of users provide image links - or even embedded media content. The former rules out restriction of media on the site's domain - as you even discovered yourself.

It's not just the rich text editor that would require it, unfortunately, it's anywhere there is an inline event, which is a surprising variety of places - even down to the toggle for quick reply being shown or hidden.

setTimeout is used for the keepalive which is designed to minimise the number of 'session timeout' errors e.g. when writing a long post.

While I think it's a great idea (and I raised it a while ago on a certain SMF fork's discussion area), the conclusion we came to is that the practicality of it is somewhat prohibitive.

See, not content with the default theme having restrictions, you'd also have to get modders to update their mods in line with the restrictions, which is very troublesome.

It also raises significant troubles with those who use things like jQuery from CDNs (e.g. from Google's or jQuery's own), and I know SMF 2.1 does use jQuery, though I suspect it is a local bundled copy rather than a CDN version.

Sad truth is that while pragmatically it seems like a good idea, the hassle it will generate, especially in terms of 'why can't I do x' help requests is extremely prohibitive. (Remember, someone has to support the users who run into difficulties and there are precious few users here who understand the rules around such a facility.

[tomreyn]

Well, this feature request is about making the default distribution of SMF more in line with the basic restrictions set by a Content Security Policy. It would be helpful to me, and I think to many others, too.

I am by no means suggesting that everyone runnnig SMF should have to learn what CSP means or that it should even become a default setting (surely this would be a bad idea). I'm just saying it would be good to enable those who want to to actually use CSP with a sane policy. I am convinced that CSP will soon (say within the next two years) gain significantly more traction.

I don't understand the argument about CDNs. If your site uses one, then you whitelist it - and you're done. If your CSP results in user's support requests then you most likely did something wrong. CSP allows you to have the browsers of visitors to your site test, without enforcing them, whether a policy you would like to apply will be violated, and have them send a report to a CGI you are hosting - all of which takes place fully automatic in the background, the user won't even realise/know.

So introducing CSP support both in a software and on a live website is a process (also regarding mods and their coding standards, I agree there), but as with every process, you need to start somewhere. That's what we do with our SMF installation / live site and I hope the core developers will take into consideration regarding this software, too.

[Arantor]

Helpful to you != helpful to a large subset of users.

Most users do not care how it works, do not want to care etc. I can guarantee you that the number of people who hang out on this website have no idea what a CSP is or why it is generally a good thing.

I am by no means suggesting that everyone runnnig SMF should have to learn what CSP means or that it should even become a default setting (surely this would be a bad idea).

Except you're posting it in the main feature requests board, intimating you believe it should be a default feature in SMF.

I'm just saying it would be good to enable those who want to to actually use CSP with a sane policy

Then get someone to make a mod for it instead and then they can have all the fun trying to support the various combinations that will come up.

I don't understand the argument about CDNs. If your site uses one, then you whitelist it - and you're done.

You're relying on end users to both configure a CDN and then whitelist it in the CSP configuration. If there's a sane interface it might be an option, I guess.

If your CSP results in user's support requests then you most likely did something wrong.

Do you want to be responsible for supporting users who have trouble with this, though? That's the other thing we have to consider here: if it becomes a default feature, the support team will have to support it. And like I said, the number of people who know how to configure such a thing here is extremely small.

Every day we see people doing really daft things and breaking their forum through ineptitude and carelessness. This to me seems like a really bad idea to make it even easier to break things.

CSP allows you to have the browsers of visitors to your site test, without enforcing them, whether a policy you would like to apply will be violated, and have them send a report to a CGI you are hosting

Yes, I know, but it doesn't mean that users will be able to actually configure it correctly even with a test mode around.

That's what we do with our SMF installation / live site and I hope the core developers will take into consideration regarding this software, too.

Oh, it's been considered. The fact it hasn't been implemented even after consideration of a couple of years (not even in 2.1) suggests it won't be implemented any time soon.

Did I also mention, I develop a fork of SMF? I'm not just some random person, I do actually develop a fork and in that fork I've done all kinds of crazy things, but I won't implement CSP as a core feature precisely because of the reasons I mentioned. But I would make it a viable plugin for those who *did* want to implement such a thing.

(And actually in the fork, there are a great number of changes that make this stuff somewhat easier, like a built in event deferrer meaning that AFAIR there is not a single actual on-something event. The templates declare it as such but it's pre-processed and pulled to the end of the page so that jQuery can be late-loaded)

[tomreyn]

Thanks for your replies, Arantor. It's great that you reply swiftly and keep up the forum activity here. I understand that you develop an SMF fork, and you have my sympathy for doing this.

I also hope to receive a reply by one of the SMF developers when they get to it (I'm not in a hurry).

On your reply, Arantor, I think we're having a bit of a misunderstanding here. This can be my fault, maybe I didn't express this well enough:

I'm not really suggesting that future releases of SMF should add any CSP HTTP response headers, I'm not suggesting that there should be a way to set a CSP in the admin panel or in configuration files.

What I'm suggesting is to improve those parts of the code which make it hard to use SMF with a sane CSP (for those, agreeably few, who want to set those custom headers themselves, be it by means of web server configurations, an SMF mod, or whatever). As I pointed out, it's rather easy to change the code so that it doesn't cause problems, basically it can boil down to search and replace (regular expressions). Making these changes to the core would not reduce functionality or performance.

I do understand that mods can make core modifications, and thus using a mod could be an option to apply these improvements. I don't think it's the right approach, though, since this is not a matter of preference, but an improvement which should be generic and not cause any problems (other than mod compatibility issues which changes to the core can surely always cause with the current modification system - I'm looking forward to the planned improvements there!).

[Arantor]

I'm not really suggesting that future releases of SMF should add any CSP HTTP response headers, I'm not suggesting that there should be a way to set a CSP in the admin panel or in configuration files.

So why post it in the Feature Requests board (whose sole purpose is for requesting features for SMF core)?

What I'm suggesting is to improve those parts of the code which make it hard to use SMF with a sane CSP

There's not really anything insane about your CSP that you describe.

What you're essentially asking SMF to do is overhaul near enough every template. I can only speculate how much of a mess the 2.1 rich text editor would be in that respect (since the one in 2.0 is gone) but I suspect it would continue to raise most of the same issues that you have.

I wonder how much functionality would have to be compromised to achieve a 'sane CSP'.

(other than mod compatibility issues which changes to the core can surely always cause with the current modification system - I'm looking forward to the planned improvements there!

The planned improvements are modest at best and still rely on mod authors actually doing their job properly in upgrading them to 2.1. As it is, there is at least one prominent mod author who ported their mods from 1.1 to 2.0 improperly and lazily, which has caused issues. I don't see any pre-existing mods making use of the extra features in 2.1 unless they are *substantially* more useful (which I am not sure they are)

[tomreyn]

I'm not really suggesting that future releases of SMF should add any CSP HTTP response headers, I'm not suggesting that there should be a way to set a CSP in the admin panel or in configuration files.

So why post it in the Feature Requests board (whose sole purpose is for requesting features for SMF core)?

Because I'm requesting changes which need to be made in the SMF core. I was hoping this had been understandable by now.

What I'm suggesting is to improve those parts of the code which make it hard to use SMF with a sane CSP

There's not really anything insane about your CSP that you describe.

What you're essentially asking SMF to do is overhaul near enough every template. I can only speculate how much of a mess the 2.1 rich text editor would be in that respect (since the one in 2.0 is gone) but I suspect it would continue to raise most of the same issues that you have.

I wonder how much functionality would have to be compromised to achieve a 'sane CSP'.

Maybe sane was the wrong word to use there. But you know what I mean, I'd like to be able to get rid of 'unsafe-inline' and 'unsafe-eval' altogether, since they make a CSP much less useful.

I don't expect that any functionality would have to be compromised, as far as I can tell there are workarounds which are easy to apply. There are many occasions where they would need to be applied, but that's what regular expressions are good for.

(other than mod compatibility issues which changes to the core can surely always cause with the current modification system - I'm looking forward to the planned improvements there!

The planned improvements are modest at best and still rely on mod authors actually doing their job properly in upgrading them to 2.1. As it is, there is at least one prominent mod author who ported their mods from 1.1 to 2.0 improperly and lazily, which has caused issues. I don't see any pre-existing mods making use of the extra features in 2.1 unless they are *substantially* more useful (which I am not sure they are)

I was actually referring to plans to have an extension system where an extension doe not modify core files, but is just placed in some directory and is loaded from there as an include, plugging into core hooks. PHPBB also seems to have plans in this direction, I was surprised to learn they don't have it implemented, yet, either.

[Arantor]

Because I'm requesting changes which need to be made in the SMF core. I was hoping this had been understandable by now.

And I was hoping it was understandable by now why that just isn't going to happen. SMF does not make changes in the core unless it is for functionality actually *in* the core, and I think we both agree that CSP functionality in the core would be a bad idea for most end users.

Bear in mind that you need every mod author and every theme author to do it properly, and that just doesn't happen.

I don't expect that any functionality would have to be compromised, as far as I can tell there are workarounds which are easy to apply. There are many occasions where they would need to be applied, but that's what regular expressions are good for.

I think you'd be surprised how much would have to be rewritten and how much of that might not be doable in the way you hope.

I was actually referring to plans to have an extension system where an extension doe not modify core files, but is just placed in some directory and is loaded from there as an include, plugging into core hooks.

SMF has stated on multiple occasions it does not want to go too far in this direction because it would be less flexible than what it currently has, although the hook functionality has been improved. But there are still too many mods that will be upgraded and not rewritten to use hooks.

[Arantor]

Given the interesting fallout from adding the X-XSS-Protection header (even if I was a little overzealous with mode=1;block), I'm even less inclined to add this just because of all the backlash from mods that don't behave properly.

[sheikzayed]

CSP Implementation in Latest SMF Version ?
Our security team flagged a missing Content Security Policy (CSP) in SMF template version 2.0.18, posing a significant security risk. To avoid discontinuing SMF, we need confirmation:

Is CSP implemented in the latest SMF version?
If so, what is the earliest version with CSP support?
We urge the development team to prioritize CSP in future releases given its critical importance.

I also need help to upgrade from SMF 2.0.18 to 2.1 - Data Not Displaying
We encountered an issue upgrading our forum directly from SMF 2.0.18 to 2.1. The site displays a vanilla forum with no existing data.

What's the recommended procedure to upgrade and ensure data integrity is maintained?

[Arantor]

No, it's not. My arguments from 2013 still hold true - unless you're going to disallow users to post images other than attachments, and disallow YouTube embedding, it's not achievable to implement this.

Especially as, as noted, the support burden of "I broke my forum" would go considerably up.

[Kindred]

And the fact that no one else has brought this up in over 10 years pretty much proves some of your original points

[Arantor]

The side fact is that CSP never really took off the way it was supposed to, mostly because actually implementing it is ungodly hard when you realise how many sites really run code from other places - JS from CDNs, analytics, third party cookie service providers/banners, and that's before we get to forums that typically have social content in them.

Sure, it's all solveable, but the effort/cost equation keeps not being worth it.

I've done some nasty CSPs where the policy is a couple of hundred rules to cover all the possibilities, multiple KB worth of definitions...

[Irisado]

@sheikzayed - Please do not revive topics from nine years ago.  If you have difficulty with the upgrading process, please use the topic that you have already opened on this issue to discuss such matters there.