Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Content Security Policy headers to all jQuery content sites #54

Open
1 task done
timmywil opened this issue Jul 4, 2024 · 10 comments · Fixed by #57
Open
1 task done

Add Content Security Policy headers to all jQuery content sites #54

timmywil opened this issue Jul 4, 2024 · 10 comments · Fixed by #57
Assignees
Labels
security Service: Blogs WordPress blogs. Service: Doc sites WordPress doc sites. Service: Miscweb Static sites and redirects.

Comments

@timmywil
Copy link
Member

timmywil commented Jul 4, 2024

Proposed header value

"default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self';"

This should be tested with a report header first

  • Set up an endpoint that can accept security reports
@timmywil timmywil self-assigned this Jul 4, 2024
@timmywil timmywil added Service: Doc sites WordPress doc sites. security Service: Blogs WordPress blogs. Service: Miscweb Static sites and redirects. labels Jul 4, 2024
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Aug 12, 2024
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Aug 20, 2024
Krinkle added a commit to jquery/typesense-minibar that referenced this issue Aug 24, 2024
Krinkle added a commit to jquery/jquery-wp-content that referenced this issue Aug 24, 2024
@timmywil
Copy link
Member Author

This also depends on jquery/jquery-wp-content#463

Also, the nginx changes are only being deployed to staging atm.

@timmywil timmywil reopened this Aug 24, 2024
@Krinkle
Copy link
Member

Krinkle commented Aug 24, 2024

@timmywil Of the three changed roles, only grunt has staging. It seems https://stage.gruntjs.com/ is now down. I guess an nginx syntax error?

@timmywil
Copy link
Member Author

After consulting the docs, I don't see anything obviously wrong with the syntax. Instead, I think the issue has to do with the grunt site's use of proxy_pass. The way to address that seems to have changed over the years, but I think moving add_header to the location block will work. Also, we can add always to the end to ensure the header is sent along even in error responses.

@Krinkle
Copy link
Member

Krinkle commented Aug 26, 2024

@timmywil That didn't seem to bring the site back. I tried logging into the droplet, to check its puppet log and nginx error, but it's not responding to SSH.

Looks like something on 22 Aug (two days before your first patch). Could it be a coincidence?

DigitalOcean control panel - gruntjs-02.ops.stage.jquery.net

@Krinkle
Copy link
Member

Krinkle commented Aug 26, 2024

I've rebooted the instance and the site is now back up. Investigation at #60 (unrelated to this).

@timmywil
Copy link
Member Author

timmywil commented Sep 11, 2024

With the merging of jquery/jquery-wp-content#463, all staging sites (and all non-wordpress prod sites) now have CSP report headers. The next step will be to test all these sites and fix their issues. Once we've addressed any issues, we can deploy the report-only headers to production. We'll then test all the production sites. Then, we'll switch to real CSP headers.

Non-wordpress sites

Wordpress staging sites

@Krinkle
Copy link
Member

Krinkle commented Sep 11, 2024

@timmywil It seems even after #61, Firefox still reports the following console warning:

Content-Security-Policy: This site (https://stage.gruntjs.com/) has a Report-Only policy without a report-uri directive nor a report-to directive. CSP will not block and cannot report violations of this policy.

Looking the HTTP response:

content-security-policy-report-only: default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/

This doesn't contain the relevant change.

Looking at the server:

gruntjs-03: sudo journalctl -u puppet
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Profile::Gruntjscom/Nginx::Site[gruntjscom]/File[/etc/nginx/sites-available/gruntjscom]/content) content changed '{sha256}652386e2d2d1f1c33>
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Nginx/Exec[nginx-reload]/returns) Job for nginx.service failed.
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Nginx/Exec[nginx-reload]/returns) See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Nginx/Exec[nginx-reload]) Failed to call refresh: '/usr/sbin/service nginx reload' returned 1 instead of one of [0]

gruntjs-03$ systemctl status nginx.service
Sep 11 15:41:36 gruntjs-03 nginx[84606]: 2024/09/11 15:41:36 [emerg] 84606#84606: invalid number of arguments in "add_header" directive in /etc/nginx/sites-enabled/gruntjscom:24

So it has protected itself by keeping the server running with the previous configuration for now.

@timmywil
Copy link
Member Author

Sorry about that. I'll look into it.

@timmywil
Copy link
Member Author

I think it's just a missing semicolon

Krinkle pushed a commit that referenced this issue Sep 12, 2024
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Oct 16, 2024
timmywil added a commit to timmywil/contribute.jquery.org that referenced this issue Oct 20, 2024
timmywil added a commit to jquery/podcast.jquery.com that referenced this issue Oct 20, 2024
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Oct 20, 2024
timmywil added a commit that referenced this issue Oct 20, 2024
**miscweb**

- script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
  bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
- img-src: allow secure.gravatar.com images on plugins.jquery.com
- media-src: allow content.jquery.com media on podcast.jquery.com

**grunt**

- script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
- the datatables plugin uses jQuery's eval. While later versions
  of jQuery switched to using script tags for eval, it would
  still require an  exception. The best solution
  would be to re-implement search, but that will take time.

Ref #54
Closes gh-63
timmywil added a commit to jquery/contribute.jquery.org that referenced this issue Oct 21, 2024
timmywil added a commit to jquery/podcast.jquery.com that referenced this issue Oct 22, 2024
@timmywil
Copy link
Member Author

timmywil commented Nov 16, 2024

I just noticed I missed an unsafe-inline for scripts on mobile themeroller (I had done styles, which took care of 95% of the errors). I'll do a PR for that soon.

Edit: PR merged at #68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Service: Blogs WordPress blogs. Service: Doc sites WordPress doc sites. Service: Miscweb Static sites and redirects.
2 participants