Hello,

Last week, I have been playing around security HTTP headers and Content-Security-Policy.

I had been recommended to use the Content-Security-Policy module https://www.drupal.org/project/csp, as it allows to provide fined grained options for this header depending on context.

I will upload a patch for Matomo for which "script-src 'unsafe-inline'" is required due to the inline Javascript snippet injected on pages.

I don't know if a solution of generated HTML file like the https://www.drupal.org/project/google_tag module does, will be possible. I saw that matomo_page_attachments is doing a lot personnalization to the JS Snippet.

CommentFileSizeAuthor
#20 matomo-3137978-20.patch6.16 KBgrimreaper
#19 matomo-csp_support-3137978-19.patch4.11 KBtobiasb
#15 interdiff-3137978-10-15.txt1.22 KBgrimreaper
#15 matomo-csp_support-3137978-15.patch4.61 KBgrimreaper
#10 matomo-csp_support-3137978-10.patch4.4 KBgrimreaper
#10 interdiff-3137978-8-10.txt903 bytesgrimreaper
#10 Capture du 2020-05-22 18-07-49.png95.02 KBgrimreaper
#9 Capture du 2020-05-22 18-03-36.png75.49 KBgrimreaper
#8 interdiff-3137978-4-8.txt4.77 KBgrimreaper
#8 matomo-csp_support-3137978-8.patch4.5 KBgrimreaper
#4 matomo-csp_support-3137978-4.patch3.01 KBgrimreaper
#2 matomo-csp_support-3137978-2.patch2.34 KBgrimreaper

Issue fork matomo-3137978

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Grimreaper created an issue. See original summary.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Assigned: grimreaper » Unassigned
Issue summary: View changes
Status: Active » Needs review
Related issues: +#3099548: Implement Policy Alter event in other modules
StatusFileSize
new matomo-csp_support-3137978-2.patch2.34 KB

Here is a patch. Thanks for the review.

Status: Needs review » Needs work

The last submitted patch, 2: matomo-csp_support-3137978-2.patch, failed testing. View results

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Needs work » Needs review
StatusFileSize
new matomo-csp_support-3137978-4.patch3.01 KB

Use a ServiceProvider to declare the service conditionally if the csp module is enabled.

gapple’s picture

gapple
he/they
Primary language English
commented

The policy alteration should consider the fallback directive (default-src), and overriding directive (script-src-elem).

A publicly available helper function is proposed in #3099423: Helper for altering directives with fallback, but for now can also be copied as a private method on the event subscriber

  public function onCspPolicyAlter(PolicyAlterEvent $alterEvent) {
    $policy = $alterEvent->getPolicy();
    self::fallbackAwareAppendIfEnabled($policy, 'script-src', [Csp::POLICY_UNSAFE_INLINE]);
    self::fallbackAwareAppendIfEnabled($policy, 'script-src-elem', [Csp::POLICY_UNSAFE_INLINE]);
  }

  private static function fallbackAwareAppendIfEnabled(Csp $policy, $directive, $value) {
    if ($policy->hasDirective($directive)) {
      $policy->appendDirective($directive, $value);
      return;
    }

    // Duplicate the closest fallback directive with a value.
    foreach (Csp::getDirectiveFallbackList($directive) as $fallback) {
      if ($policy->hasDirective($fallback)) {
        $policy->setDirective($directive, $policy->getDirective($fallback));
        $policy->appendDirective($directive, $value);
        return;
      }
    }
  }
grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented

Thanks a lot @gapple for your feedback.

I will wait for the maintainer feedback before going forward.

And maybe waiting for #3099423: Helper for altering directives with fallback to be fixed.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Needs review » Needs work

Upon further testing.

The configured Matomo domain name should also be dynamically added in script-src.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Needs work » Needs review
StatusFileSize
new matomo-csp_support-3137978-8.patch4.5 KB
new interdiff-3137978-4-8.txt4.77 KB

Here is an updated patch.

Due to comment 7, I took previous review comments into account too.

Waiting for maintainer feedback.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
StatusFileSize
new Capture du 2020-05-22 18-03-36.png75.49 KB

I wonder if the HTTP URL should be authorized.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
StatusFileSize
new Capture du 2020-05-22 18-07-49.png95.02 KB
new interdiff-3137978-8-10.txt903 bytes
new matomo-csp_support-3137978-10.patch4.4 KB

Patch updated.

Mozilla Observatory was not liking it too.

sleitner’s picture

sleitner commented

Wouldn't it be better to avoid unsafe-inline completely by using JSON like it is used for the drupal-settings-json in core ( https://www.drupal.org/node/2513818 ) or by using data attributes in tags?

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented

Hello @sleitner,

Thanks a lot for the suggestion!

Didn't know this change record.

Yes, if unsafe-inline can be avoided, it would be better.

I will not have time to provide a patch but would be happy to test one if provided.

Regards,

gapple’s picture

gapple
he/they
Primary language English
commented

@sleitner avoiding inline code is preferred, but passing data through drupalSettings is probably a major-version worthy refactor.

e.g. I wrote the Googalytics module as a replacement for the legacy Google Analytics module to be compatible with CSP (among other features). Sites with a basic implementation can just swap modules and match configuration, but any custom implementation will likely need to be rebuilt to be compatible with the different API.

This patch makes the module work in it's current state, and an updated version of the module can remove or update the CSP directive changes as needed.

gapple’s picture

gapple
he/they
Primary language English
commented

I can't commit to a timeline ATM, but I'm up to lead or support a refactor of the module similar to Googalytics' API, if the module maintainer(s) are open to it.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
StatusFileSize
new matomo-csp_support-3137978-15.patch4.61 KB
new interdiff-3137978-10-15.txt1.22 KB

Hello,

Updating patch from comment 10. I have updated Matomo Drupal module to 8.x-1.11 and Matomo to 4 and now a connect-src directive is required.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Assigned: Unassigned » grimreaper

Updating this issue regarding comments.

Switching to PR.

Grimreaper opened merge request !4

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Assigned: grimreaper » Unassigned

PR created.

Thanks for the review!

tobiasb’s picture

tobiasb
Primary language German
Location Berlin
commented
StatusFileSize
new matomo-csp_support-3137978-19.patch4.11 KB

I added script-src-elem again.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
StatusFileSize
new matomo-3137978-20.patch6.16 KB

I have updated the MR to go back to script-src-elem.

Here is a patch for the current state.

If someone else can confirm it works I will merge it.

  • Grimreaper committed 476e95d on 8.x-1.x 
    Issue #3137978 by Grimreaper, tobiasb, gapple, sleitner: Support Content...
grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Needs review » Fixed

Tests are passing. I have merged it and will make a new release because otherwise due to recent code changes applying patches from the latest release is hard.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.