• Stars
    star
    486
  • Rank 90,527 (Top 2 %)
  • Language
    PHP
  • License
    MIT License
  • Created about 9 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Collection of scripts, thoughts about CSP (Content Security Policy)

CSP useful, a collection of scripts, thoughts about CSP

I'm testing and using CSP (Content Security Policy), and here are some thoughts, resources, scripts and ideas on it.

Scripts

Report-URI folder

In folder "report-uri", you may find examples of CSP parsers you can use for report-uri.

  • csp-parser-basic.php : the most basic one, it sends an e-mail.
  • csp-parser-enhanced.php : avoids some bugs (listed below as CSP WTF), with a LOT of filters
  • csp-parser-with-database.php : put notifications in a database, then you can do whatever you want with all these informations! :)
  • csp-parser-with-database-pdo.php : also puts CSP notifications in a database but uses PDO instead of the mysqli extension.

CSP directives for third-party services

In folder "CSP for third party services", you may find examples of directives you need to use for some services.

CSP Check folder

In folder "csp-check", you may find the source of a proof of concept: this script was a quick and dirty way to reproduce a bug in Firefox, you can see it in action here: https://csp.nicolas-hoffmann.net/

Basically, the page generates an unique id, notifications sent to report-uri are put in database, the page makes an AJAX call to database, and the unique id helps to find CSP errors in database.

This is useful to prove bugs, not only for Firefox. ^^

To reproduce the bug:

  1. Open https://csp.nicolas-hoffmann.net/
  2. The page is going to generate a unique id, ex https://csp.nicolas-hoffmann.net/?id=foo
  3. Wait some seconds. The page doesn't find any notification in the database.
  4. Now inspect the page with Firefox inspector, please highlight some elements.
  5. Close the inspector
  6. Refresh the page with the id you have : https://csp.nicolas-hoffmann.net/?id=foo
  7. It is going to find a lot of CSP errors.

At the beginning, I've made it to prove that some Chrome extensions are sending notifications to report-uri (while they should not), and it helped to find/prove a bug in Firefox Inspector.

Here is the reported bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1195302

It should be is fixed with Firefox 42 https://bugzilla.mozilla.org/show_bug.cgi?id=1185351 :)

CSP WTF???

In folder "CSP WTF", you may find examples of strange notifications you may receive. Feel free to add/explain some.

Now the list is splitted in two, explained or not yet explained notifications.

Small tips and tricks

Multiple domains

Be careful if you have multiple domain names (foo.com, foo.net) pointing to a single website while using 'self' as value. Example: if a user is using a full url for an image, let's say http://foo.com/image.jpg, using 'self' won't be enough if the user is on foo.net. Be sure to allow all necessary domains.

Generate a hash

If you really have to use some inline scripts/css, for example:

<script>alert('Hello, world.');</script>

You might add 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=' as valid source in your script-src directives. The hash generated is the result of:


base64_encode(hash('sha256', "alert('Hello, world.');", true))

in PHP for example.

Chrome PDF viewer blocking

According to Philippe De Ryck, setting CSP's object-src to 'none' blocks Chrome's PDF viewer. As he says, "unless you're hosting vulnerable flash files yourself, go with 'self', and ignore the warning on the CSP Evaluator".

Safari

According to, Safari’s default media controls get blocked when applying a Content-Security-Policy, see https://www.ctrl.blog/entry/safari-csp-media-controls (hint, allow img-src).

What CSP is really good for

In development

I use CSP to clean up some bad old contents (with inline-styles for example).

  1. Just activate CSP on a site with a report-uri
  2. Ask your boss/collegues/grandma to browse the website
  3. All notifications will come without doing anything (yes, I’m lazy)
  4. Yay, you know where you have to make some cleanup

Moreother, if you don't have the time to clean it, setting up CSP policy will avoid bad old styles from breaking the nice/clean new design. Or it will tell you when contributors are doing shit on the website.

To migrate a website to HTTPS

You might read how the Guardian moved to HTTPS using CSP: https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https

Progressive enhancement and orthogonality

As far as I can see, using CSP on my jQuery plugins helped me a lot to design them without inline styles/js. See for example: https://a11y.nicolas-hoffmann.net/ or https://van11y.net

So it is a great help for progressive enhancement, orthogonality and clean front-end.

How to see easily CSP directives on a website

For Firefox: make Maj+F2 and type "security csp". It will show you directives and advices.

If you have webdevelopper toolbar, go into infos - HTTP headers.

About plugins

JS/jQuery plugins should provide the CSP requirements they need to work (especially inline-styles or inline-js), so:

EDIT: an initiative has been set up by WebReflection to display CSP badges for your plugins/libraries.

Bugs I've found

Resources

Resources

CSP with Google

About collecting and filtering reports

Why you should use CSP

Interesting posts on how to deploy CSP

Other

Future of CSP

Online tools that test CSP

Add-ons Navigator

CMS Plugins

Enjoy!

Nicolas Hoffmann - @Nico3333fr

More Repositories

1

van11y-accessible-modal-window-aria

ES2015 accessible modal window system, using ARIA
JavaScript
90
star
2

jquery-accessible-tabs-aria

A simple jQuery code to provide accessible tabs starting from a simple source
HTML
85
star
3

van11y-accessible-tab-panel-aria

ES2015 accessible tabs panel system, using ARIA
JavaScript
66
star
4

jquery-accessible-modal-window-aria

jQuery simple and accessible modal window, using ARIA
HTML
60
star
5

jquery-accessible-accordion-aria

jQuery Accessible Accordion System, using ARIA
JavaScript
60
star
6

van11y-accessible-carrousel-aria

ES2015 accessible carrousel system, using ARIA
JavaScript
50
star
7

van11y-accessible-accordion-aria

ES2015 accessible accordion system, using ARIA
JavaScript
49
star
8

htaccess-useful

htaccess useful
48
star
9

ROCSSTI

RÖCSSTI : pour démarrer vos CSS avec la patate !
CSS
46
star
10

jquery-accessible-carrousel-aria

jQuery Accessible Carrousel System, using ARIA
HTML
40
star
11

van11y-accessible-hide-show-aria

ES2015 accessible hide-show system (collapsible regions), using ARIA
JavaScript
36
star
12

jquery-accessible-hide-show-aria

A simple jQuery code to provide accessible hide/show system using ARIA
HTML
31
star
13

jquery-accessible-autocomplete-list-aria

This jQuery plugin will transform and enhance a simple text input with a datalist into a wonderful and shiny input with autocomplete.
30
star
14

jquery-accessible-subnav-dropdown

This jQuery plugin simply enhances keyboard navigation on a “classic” drop-down menu.
26
star
15

van11y-accessible-simple-tooltip-aria

ES2015 accessible simple tooltip, using ARIA
JavaScript
25
star
16

jquery-accessible-simple-tooltip-aria

jQuery accessible simple tooltip window, using ARIA
23
star
17

jquery-accessible-dialog-tooltip-aria

jQuery simple and accessible dialog tooltip window, using ARIA
17
star
18

van11y-accessible-modal-tooltip-aria

ES2015 accessible modal tooltip system, using ARIA (compatible IE9+ when transpiled)
JavaScript
10
star
19

webfont-kits

Webfont kits for websites
CSS
4
star
20

front-end-useful

Some various tools/tricks for front-end dev
JavaScript
4
star
21

Composants-accessibles-et-de-qualite

Checklist tirées de l'atelier de @goetsu et @nico3333fr à Paris Web
2
star