Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

replace CSP with new default, with start/end markers for auto replacement #984

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

replace CSP with new default, with start/end markers for auto replacement #984

wants to merge 4 commits into from
+19 −20

Conversation

labkey-willm
Copy link
Contributor

Rationale

https://github.com/LabKey/kanban/issues/362

we're going to use the syseng-chef-repo's Content Security Policy as the source going forward. Updates there will be automatically sent here by github action.

Related Pull Requests

Changes

@labkey-willm labkey-willm mentioned this pull request Feb 6, 2025
Open
labkey-tchad
labkey-tchad requested changes Feb 6, 2025
View reviewed changes
Copy link
Member

@labkey-tchad labkey-tchad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is for TeamCity and dev deployments, not cloud deployments. You've removed the bit that enables the enforce CSP on dev enlistments (#useLocalBuild#) and made it so the CSP reports will be invisible on the test instance. TeamCity tests can't see the CSP warnings if they get sent to labkey.org.

@labkey-willm
Copy link
Contributor Author

This file is for TeamCity and dev deployments, not cloud deployments. You've removed the bit that enables the enforce CSP on dev enlistments (#useLocalBuild#) and made it so the CSP reports will be invisible on the test instance. TeamCity tests can't see the CSP warnings if they get sent to labkey.org.

Ah, I see. I didn't realize what all that was doing. Do teamcity or devs need the report block at all? If not, I could leave that out of what I'm copying in from the chef repo (while retaining the #useLocalBuild# comments).

Or better/simpler, if we only copy in an uncommented enforce block, but strip "https://www.labkey.org" out of the report-uri, would that work for both dev and teamcity?

@labkey-tchad
Copy link
Member

Ah, I see. I didn't realize what all that was doing. Do teamcity or devs need the report block at all? If not, I could leave that out of what I'm copying in from the chef repo (while retaining the #useLocalBuild# comments).

Or better/simpler, if we only copy in an uncommented enforce block, but strip "https://www.labkey.org" out of the report-uri, would that work for both dev and teamcity?

Not all of our TeamCity suites can handle the enforce policy. RStudio still throws several warnings.
We want the report policy on TeamCity because the test suites will reliably check for CSP alerts in the log and alert us to problems without interrupting the rest of the test. It also lets us selectively ignore violations without disabling the CSP check entirely (LabKey/testAutomation#1908).
For developers we want the enforce policy because it can make the violations more in-your-face since most folks don't monitor the csp log. (#956)

@labkey-willm
Copy link
Contributor Author

Ah, I see. I didn't realize what all that was doing. Do teamcity or devs need the report block at all? If not, I could leave that out of what I'm copying in from the chef repo (while retaining the #useLocalBuild# comments).
Or better/simpler, if we only copy in an uncommented enforce block, but strip "https://www.labkey.org" out of the report-uri, would that work for both dev and teamcity?

Not all of our TeamCity suites can handle the enforce policy. RStudio still throws several warnings. We want the report policy on TeamCity because the test suites will reliably check for CSP alerts in the log and alert us to problems without interrupting the rest of the test. It also lets us selectively ignore violations without disabling the CSP check entirely (LabKey/testAutomation#1908). For developers we want the enforce policy because it can make the violations more in-your-face since most folks don't monitor the csp log. (#956)

ok, I've got it all fixed up to keep report enabled, enforce hidden by the #useLocalBuild#, the trimmed report-uri for both, and the github action in chef wired up to maintain all of that: https://github.com/LabKey/syseng-chef-server/pull/608

labkey-tchad
labkey-tchad requested changes Feb 10, 2025
View reviewed changes
server/configs/application.properties Outdated Show resolved Hide resolved
server/configs/application.properties
Comment on lines +129 to +130
csp.report=\
default-src 'self' ;\
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do the enforce rules include https: but the report rules don't?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leaving out https: makes the policy more strict, which needs to be vetted with report before it is applied to enforce

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing https causes some CSP warnings. We have some tests that embed youtube videos (also used on labkey.org).
R reports also have the capacity to add external dependencies. JavaScript dependencies are allowed through by this CSP but CSS dependencies are not ("violated-directive": "style-src-elem").

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@labkey-adam , were any of these addressed in your recent work?

Should I restore https: until these dependencies are taken care of?

Or, proceed as is, so we can fix these and maybe catch other warnings as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not address these in recent work. I'd be in favor of leaving https: out of the report policy and adding specific youtube.com URLs as external connections.

labkey-tchad
labkey-tchad requested changes Feb 10, 2025
View reviewed changes
Copy link
Member

@labkey-tchad labkey-tchad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not ready to remove https yet

server/configs/application.properties
Comment on lines +129 to +130
csp.report=\
default-src 'self' ;\
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing https causes some CSP warnings. We have some tests that embed youtube videos (also used on labkey.org).
R reports also have the capacity to add external dependencies. JavaScript dependencies are allowed through by this CSP but CSS dependencies are not ("violated-directive": "style-src-elem").

@labkey-jeckels
Copy link
Contributor

Not ready to remove https yet

Can tests and labkey.org add YouTube as an allowed external connection? I don't think we want to add that everywhere.

And should we support nonces on style elements too?

@labkey-adam
Copy link
Contributor

Not ready to remove https yet

Can tests and labkey.org add YouTube as an allowed external connection? I don't think we want to add that everywhere.

And should we support nonces on style elements too?

Yes, I was going to suggest adding https://www.youtube.com as well. I don't know about the style elements.

@labkey-tchad
Copy link
Member

And should we support nonces on style elements too?

The styles triggering the CSP aren't actually in a style element: "<link type="text/css" rel="stylesheet" href="https://cdn.datatables.net/1.13.6/css/jquery.dataTables.min.css">"

@labkey-tchad
Copy link
Member

Not ready to remove https yet

Can tests and labkey.org add YouTube as an allowed external connection? I don't think we want to add that everywhere.

It would take a gradle plugin update to modify the CSP in this file when deploying dev and test environments. Probably not too tricky but not a freebie.

@labkey-jeckels
Copy link
Contributor

Not ready to remove https yet

Can tests and labkey.org add YouTube as an allowed external connection? I don't think we want to add that everywhere.

It would take a gradle plugin update to modify the CSP in this file when deploying dev and test environments. Probably not too tricky but not a freebie.

I meant, can tests add allowed servers through the Admin Console's External Allowed Sources link?

@labkey-tchad
Copy link
Member

Not ready to remove https yet

Can tests and labkey.org add YouTube as an allowed external connection? I don't think we want to add that everywhere.

It would take a gradle plugin update to modify the CSP in this file when deploying dev and test environments. Probably not too tricky but not a freebie.

I meant, can tests add allowed servers through the Admin Console's External Allowed Sources link?

Unfortunately, no.
connect-src doesn't cover iframes. We'd need a frame-src or child-src directive to allow embedding external videos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels left review comments

@labkey-adam labkey-adam Awaiting requested review from labkey-adam

@labkey-stuartm labkey-stuartm Awaiting requested review from labkey-stuartm

@labkey-tchad labkey-tchad Awaiting requested review from labkey-tchad

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@labkey-willm @labkey-tchad @labkey-jeckels @labkey-adam