CMS MADE SIMPLE FORGE

CMS Made Simple Core

 
Back Back to List

[#12638] Include support for Content Security Policies

avatar
Created By: ellmann creative (ellmanncreative)
Date Submitted: 2023-08-22 07:55

Assigned To: Fernando Morgado (JoMorg)
Resolution: Accepted
State: Open
Summary:
Include support for Content Security Policies
Detailed Description:
If you provide a CSP header of your own, you are very likely going to break page
functionality - but even if you add your own code's hashes and so on (so that
your website/content works), the admin panel generates dynamic/inline CSS and JS
which will not be covered by the CSP you specify and will fail (the Content
Manager, for example, will stop working entirely).

As it currently is - it is impossible to use CMS MS admin without a) using a
unsafe-inline CSP, or b) adding hashes to the CSP each time you begin a new
session with the panel.

I propose that CMS MS generate its own CSP headers, so that it can insert its
own nonces and/or hashes for the dynamically-generated contents it inlines.

It would also be important to have configurability, so that you can add and/or
specify CSP for anything not covered by CMS MS (like your own content's hashes,
frame-ancestors options and so on). This would allow one to move existing CSPs
defined elsewhere into CMS MS.

One potential issue I can see is a situation where a CSP is already applied
externally (via a .htaccess file, for example) and cannot be modified. I know
modifying a CSP is possible, but as I understand - it can only be made more
restrictive in the process. I am unsure as to what solution to propose for this
issue, beyond "move everything to CMS MS and allow it to handle things instead".

History

Comments
avatar 
Date: 2023-10-04 14:11
Posted By: Fernando Morgado (JoMorg)

Ok so, although this feature request has been accepted, and after a long
examination on the current structure of CMSMS and what it entails supporting any
CSP directives, we were confronted with a few barriers:
- there is a lot of inline code in the backend of CMSMS, be it CSS or javascript
resources;
- an extensive part of the existing inline code is on 3rd party modules and
plugins;
- while we can start adding the mechanisms to support CSP there is no way we can
enforce it to 3rd party modules developers;
- even building support for CSP will be a continued effort: it's not easy to
track all the instances where there are inline resources being used in the core
and core modules;

Having said that I'll start the implementation of the mechanisms required to
support this request to the extend possible in the current state of the code
base. That will be, as far as I could assess, just short of a full support. This
will be implemented in steps, so that the code will probably support it on next
release, but the modifications of the templates will be left to be done in
another release as this will take more time. At the same time we will do our
best effort to bring to the 3rd party developers the introduction of the new
API, and the ways they will have at hand to modify their modules.

This is a long term project that will be initiated this next release but will
most likely take some time before it can be fully implemented.

There is a possibility that we can somewhat change the templates
programmatically on the fly for the backend which would make the implementation
of the feature possible in a lesser amount of time but that will require some
testing. It will slow down a bit the backend but might be worthwhile as a good
part of it is cached.

This is already a WIP, I'll keep you posted.
Updates

Updated: 2023-08-22 08:09
resolution_id: => 6
assigned_to_id: 100 => 12532