Forum
Content Security Policy
Hi,
I am just running through a new Perch Runway installation, using a Content Security Policy as part of my build for the first time. I have hit some issues within Perch admin due to inline scripts and styles, which are in violation of my policy (see below):
Header set Content-Security-Policy: "default-src 'none'; script-src 'self' https://ajax.googleapis.com; connect-src 'self'; img-src 'self'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'"
It looks like when the inline scripts / styles in Perch are blocked the navigation menu doesn't work properly.
I can add unsafe-inline to get around this (which is what I have done), but I was wondering if it would be possible, or indeed a good idea, to move these scripts to external files for future releases so I can use a more locked-down content security policy for Perch builds.
Thanks for your time as always, my diagnostics are below if required.
Mike
Perch Runway: 3.0.8, PHP: 5.6.30, MySQL: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $, with PDO
Server OS: Darwin, apache2handler
Installed apps: content (3.0.8), assets (3.0.8), categories (3.0.8), perch_forms (1.9.1), perch_shop_orders (1.2.3), perch_shop_products (1.2.3), perch_shop (1.2.3), perch_members (1.6.2)
App runtimes: <?php $apps_list = [ 'perch_members', 'perch_shop', 'perch_forms', ];
PERCH_LOGINPATH: /admin
PERCH_PATH: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site/admin
PERCH_CORE: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site/admin/core
PERCH_RESFILEPATH: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site/admin/resources
Image manipulation: GD
PHP limits: Max upload 32M, Max POST 32M, Memory: 128M, Total max file upload: 32M
F1: 0c66c2e1f82f9e0b7617b2cb8270f2c7
Resource folder writeable: Yes
HTTP_HOST: ghd.dev
DOCUMENT_ROOT: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site
REQUEST_URI: /admin/core/settings/diagnostics/
SCRIPT_NAME: /admin/core/settings/diagnostics/index.php
P.S. If of interest, this is what I am seeing in Console:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://fonts.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-YUYSvTsOl4O3SIYESay1ibQrMFa6B0p8JzYIRkd3x5o='), or a nonce ('nonce-...') is required to enable inline execution.
ghd.dev/:13 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://ajax.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ljckMz6kQytqbbKiJeSJnzNo9bqnBdvmTZauQMxjpss='), or a nonce ('nonce-...') is required to enable inline execution.
app.5163d57….js:1 Uncaught ReferenceError: Perch is not defined
at Object.<anonymous> (app.5163d57….js:1)
at t (vendor.5163d57….js:1)
at window.webpackJsonp (vendor.5163d57….js:1)
at app.5163d57….js:1
js_lang.php:1 Uncaught ReferenceError: Perch is not defined
at js_lang.php:1
ghd.dev/:65 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://ajax.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-6IIvUyrpNJsrV0PElO/SFu1ORPnryCprHLVIlaW4hDM='), or a nonce ('nonce-...') is required to enable inline execution.
I don't think either of those Google URLs are coming from Perch.
Hi Drew,
I have declared those URLs in the Content Security Policy as safe external sources - they are for Google font loading. The security issues are being triggered by these inline scripts and styles in the Perch admin:
Line 10
Line 13
Line 65
Those are inlined for a reason - they're dynamically generated.
Ah fair enough, thanks Drew I knew there would be a reason.
I will see if I can do something better than
unsafe-inline, will post here if I come up with anything