Forum

Thread tagged as: Problem, Runway

Content Security Policy

Hi,

I am just running through a new Perch Runway installation, using a Content Security Policy as part of my build for the first time. I have hit some issues within Perch admin due to inline scripts and styles, which are in violation of my policy (see below):

Header set Content-Security-Policy: "default-src 'none'; script-src 'self' https://ajax.googleapis.com; connect-src 'self'; img-src 'self'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'"

It looks like when the inline scripts / styles in Perch are blocked the navigation menu doesn't work properly.

I can add unsafe-inline to get around this (which is what I have done), but I was wondering if it would be possible, or indeed a good idea, to move these scripts to external files for future releases so I can use a more locked-down content security policy for Perch builds.

Thanks for your time as always, my diagnostics are below if required.

Mike

Perch Runway: 3.0.8, PHP: 5.6.30, MySQL: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $, with PDO
Server OS: Darwin, apache2handler
Installed apps: content (3.0.8), assets (3.0.8), categories (3.0.8), perch_forms (1.9.1), perch_shop_orders (1.2.3), perch_shop_products (1.2.3), perch_shop (1.2.3), perch_members (1.6.2)
App runtimes: <?php $apps_list = [ 'perch_members', 'perch_shop', 'perch_forms', ];
PERCH_LOGINPATH: /admin
PERCH_PATH: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site/admin
PERCH_CORE: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site/admin/core
PERCH_RESFILEPATH: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site/admin/resources
Image manipulation: GD
PHP limits: Max upload 32M, Max POST 32M, Memory: 128M, Total max file upload: 32M
F1: 0c66c2e1f82f9e0b7617b2cb8270f2c7
Resource folder writeable: Yes
HTTP_HOST: ghd.dev
DOCUMENT_ROOT: /Users/mikeharrison/Google Drive/Client Work/G H Davies/Site
REQUEST_URI: /admin/core/settings/diagnostics/
SCRIPT_NAME: /admin/core/settings/diagnostics/index.php

P.S. If of interest, this is what I am seeing in Console:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'  https://fonts.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-YUYSvTsOl4O3SIYESay1ibQrMFa6B0p8JzYIRkd3x5o='), or a nonce ('nonce-...') is required to enable inline execution.

ghd.dev/:13 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://ajax.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ljckMz6kQytqbbKiJeSJnzNo9bqnBdvmTZauQMxjpss='), or a nonce ('nonce-...') is required to enable inline execution.

app.5163d57….js:1 Uncaught ReferenceError: Perch is not defined
    at Object.<anonymous> (app.5163d57….js:1)
    at t (vendor.5163d57….js:1)
    at window.webpackJsonp (vendor.5163d57….js:1)
    at app.5163d57….js:1
js_lang.php:1 Uncaught ReferenceError: Perch is not defined
    at js_lang.php:1
ghd.dev/:65 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://ajax.googleapis.com". Either the 'unsafe-inline' keyword, a hash ('sha256-6IIvUyrpNJsrV0PElO/SFu1ORPnryCprHLVIlaW4hDM='), or a nonce ('nonce-...') is required to enable inline execution.
Mike Harrison

Mike Harrison 37 points

  • 4 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

I don't think either of those Google URLs are coming from Perch.

Hi Drew,

I have declared those URLs in the Content Security Policy as safe external sources - they are for Google font loading. The security issues are being triggered by these inline scripts and styles in the Perch admin:

Line 10

<style type="text/css">.topbar.custom { background-color: #3b3c43; }
        .dialog-overlay { background-color: #3b3c43; }
    </style>

Line 13

<script>
    if (typeof(Perch) == 'undefined') {
        Perch      = {};
        Perch.UI   = {};
        Perch.Apps = {};
    }
    Perch.token   = 'f262cfcd54e521beee2148cda5c74c7b';
    Perch.path    = '/admin';
    Perch.version = '3.0.1';
    Perch.theme   = '#3b3c43';
</script>

Line 65

<script>
    </script>
Drew McLellan

Drew McLellan 2638 points
Perch Support

Those are inlined for a reason - they're dynamically generated.

Ah fair enough, thanks Drew I knew there would be a reason.

I will see if I can do something better than unsafe-inline, will post here if I come up with anything