Why does Content-Security-Policy breaks flarum?

Braden

Whenever i try to add this Content Security Policy
Header add Content-Security-Policy: default-src ‘self’ *.example.com;

it works correctly, but breaks my site. Whats the best way to use Content Security Policy for flarum?

Valeyard

What's your site?

CSP is not really going to be a good idea for a forum because it'll block external images, videos, audio etc that may get embedded into your site (people hotlinking images etc). Referrer-Policy origin or same-origin may be what you want?

Braden

Valeyard thanks for replying

i was looking to add something similar to https://discuss.flarum.org/d/4788-are-you-using-csp-headers-with-flarum which i later found clark had already discussed about it, and it seem it wont work with flarum.

or can you come with a code that will work with default flarum?

Valeyard

Braden No I can't, because CSP is not at all meant for forums, Your users won't be able to embed images, videos, etc. If the Forum is private just do what I suggested, I just checked my own config on this:

ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/dhparam7680.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000;includeSubDomains;preload";
add_header Referrer-Policy same-origin;
add_header Permissions-Policy "camera=(),geolocation=(self)";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1;mode=block";

Same-origin like I said. That will prevent outside websites seeing the topic titles etc on a closed forum and is essential for privacy. Though I may change it to origin because it really doesn't matter if stuff is loaded from a domain name that is literally on VPS with 1 IP and no other websites!

Braden

because it'll block external images, videos, audio etc

That really isn't an issue, you can call the urls that you don't want to get blocked

askvortsov

We are hoping to eventually add CSP support; the biggest thing we'll need to register all js/css with a nonce so that it's trusted. Otherwise, your browser will reject Flarum's frontend source code.

Braden

askvortsov That will be great for sure and you know it! 😉

SMalt wow! no one expected that one coming, it looks well thought! 🤗
I noticed no one is able to share videos in your forum? I also noted you only caught the cdn in img-src 'self' , is it okay to only use the external domain main url as it appears? any difference? thank you!

Valeyard now we can say nothing is impossible in codding 😅
i hope all the code is placed inside <IfModule mod_headers.c> ? including SSL?

SMalt

This is working (for me):

  add_header Content-Security-Policy
  "default-src 'self';
  script-src 'self' 'unsafe-inline';
  img-src 'self' https://twemoji.maxcdn.com https://cdn.jsdelivr.net;
  style-src 'self' 'unsafe-inline';
  font-src 'self';
  base-uri 'none';
  frame-ancestors 'none';
  form-action 'self';
  block-all-mixed-content;";
  
  add_header Referrer-Policy 'strict-origin';

  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;

  add_header X-Content-Type-Options 'nosniff';

  add_header X-XSS-Protection "X-XSS-Protection: 1; mode=block";

  add_header Set-Cookie "lcid=1043; Max-Age=60";

  add_header Permissions-Policy "camera 'none'";

Valeyard

Braden i hope all the code is placed inside <IfModule mod_headers.c> ? including SSL?

NGINX not Apache.

I'm still not clear on what you're trying to achieve with the CSP headers? It just seems like a bad idea to lock out all cross-site content on a forum. This post you linked to is from 2017, it's 2022 and almost all sites use HTTPS now (using TLS not SSL) so you don't have that much to worry about with mixed-content loading now - but if it's mixed-content you're concerned about use the existing plugin?

Braden

Valeyard What am trying to archive? Most likely it's just total trust with the visitors. Where they can be free to hop-in money anytime, hardily speak, and ask few questions concerning security.

Remember, on internet you can grow rapidly, just one night it can make you rich, but one small reason mmh, 😩 everyone will be anxious to leave

And i'll not be the only person checking the security status 😉 could be a tycoon somewhere from maybe Poland interested to partner

Valeyard

I've added the CSP header to my entire server now:

add_header Content-Security-Policy "default-src 'self' https:;script-src 'self' 'unsafe-inline' 'unsafe-eval' https:;style-src 'self' 'unsafe-inline' 'unsafe-eval' https:;font-src 'self';";

As mentioned you have to be BROAD with it so it doesn't block required resources and the ability of your members to embed images and videos.