Follow-up to #2510104: Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future

Problem/Motivation

Content security policy is a browser feature available that helps prevent XSS attacks based on headers sent by the site.

For CSP spec see: http://www.w3.org/TR/CSP/
https://www.owasp.org/index.php/Content_Security_Policy
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Inline JS is not compatible with enabling a reasonable secure content security policy, so this issue is postponed until the Drupal settings are fixed in the related issue

Proposed resolution

Implement a basic and reasonably secure CSP header for Drupal core, such as

Content-Security-Policy: default-src 'self'; frame-ancestors 'self';

Possibly (or as a follow-up or in contrib): Add a callback to receive and log CSP violation reports to watchdog. e.g. with CSP report-uri directive like:

Content-Security-Policy: default-src 'self'; frame-ancestors 'self'; report-uri /system/csp-report-logger;

Likely this reporting should be supported only as a something that can be temporarily enabled for debugging. It has obvious potential for abuse (DoS attacks, bogus data, etc) such as outlined at https://www.virtuesecurity.com/blog/abusing-csp-violation-reporting/

Remaining tasks

Implement

User interface changes

Possibly an admin page to configure some aspects of the CSP (optional for 8.0.x)

API changes

API addition to allow modules to alter or add to the CSP header for each page/or response event.

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category Task because it is security hardening.
Issue priority Major because CSP is an important security practice.
Prioritized changes The main goal of this issue are security improvements.
Disruption Likely not disruptive for contributed modules - unless they embed iframe or load 3rd party JS.

Comments

pwolanin’s picture

Title: Add a default CSP and minimal API to core » Add a default CSP and clickjacking defence and minimal API for CSP to core
Issue summary: View changes
pwolanin’s picture

Issue summary: View changes
pwolanin’s picture

Issue summary: View changes
Fabianx’s picture

Nice!

Some questions:

- Can we via our libraries mechanism automatically emit headers for external JS added via that way?
- Is it possible to also restrict directories? Given we know all directories due to aggregation could we restrict those directories?

pwolanin’s picture

From discussion with webchick, having a CSP in core that restricts JS execution should be 8.1.x material.

Not sure about X-Frame-Options: SAMEORIGIN however

Fabianx’s picture

Even if we make it an optional hardening?

pwolanin’s picture

Version: 8.0.x-dev » 8.1.x-dev
Issue summary: View changes

yes, optional == contrib. I think for 8.0.x

Fabianx’s picture

Version: 8.1.x-dev » 8.0.x-dev
Status: Postponed » Active

Well, core needs to support the API from day 0 - even if then only the contrib module enables it.

Adding at 8.1 will potentially break contrib modules and it is one of the most important security hardenings we can do.

It is also just 'ready' now. And the web is evolving ...

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Wim Leers’s picture