CSP and Nonce for better security

0E800

Apologies if all the reading I have done has misled me to the wrong conclusions.

The quick:

Add a extension to core that would replace all <script src=... to <script nonce="$Nonce">
If user decides to use it, they simply add a line to their nginx config that matches the value of whats entered in the flarum extension. This prevents any other scripts without the nonce hash to run inline.

The nonce attribute is way of telling browsers that the inline contents of a particular script or style element were not injected into the document by some (malicious) third party, but were instead put into the document intentionally by whoever controls the server the document is served from.

Let the user decide how they want to implement the nonce, but allow them the option of adding the nonce code where js is called for.

Reference material:

https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

https://www.owasp.org/images/c/c4/2017-04-20-OWASPNZ-SpagnuoloWeichselbaum.pdf

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

https://csp.withgoogle.com/docs/strict-csp.html

https://scotthelme.co.uk/csp-nonce-support-in-nginx/

Evaluate your own sites content security policy headers:
https://securityheaders.io

Here is mine:
https://securityheaders.io/?q=https%3A%2F%2Fkeys-daggers.org&followRedirects=on

Ralkage

I got a big fat F ?

0E800

Ralkage
A forum such as this with a lack of CSP can become a harvesting ground for people that like to do things just because they can.

A simple signature containing a tracking png or pixel would provide the pentester with the IP address of each browser that rendered the image.

A would be attacker would just need to host the file and embed in bbcode. However, if you have a CSP in place that says only images from imgur.com and the local Host are allowed, it would block the tracker.

Reference:

https://www.bleepingcomputer.com/news/security/email-tracking-pixels-used-for-pre-hack-info-gathering/

People think well I have antivirus or I have firewall enabled so I'm safe, I got a Mac, I'm safe. Just because your ports are locked doesn't mean your IP address can't be used for other analytical data.

Flarum isn't that popular with regards to companies that are actually using it publicly but when a stable release has been announced and popularity increases, there will be security concerns.

This should be addressed sooner than later.

Excellent information regarding the current CSP implementation:

https://developers.google.com/web/fundamentals/security/csp/