Hi,

I'm setting up a Apache server for a LimeSurvey 3 installation, and I'd like to craft a suitable Content-Security-Policy for it.
I'm having trouble finding the answers to some questions I have.
Please note I'm not really a LimeSurvey user, so please forgive anything that might seem obvious.

Firstly, is there an example of a good CSP for LS3 anywhere? I've Googled but I couldn't find much.

Otherwise, could someone please help me answer some questions or point me in the right direction:

1. Does LS3 use inline styles anywhere? (if so I'd need `style-src 'self' 'unsafe-inline'`)
2. Does LS3 use inline scripts anywhere? (if so I'd need `script-src 'self' 'unsafe-inline'` - also what about `'unsafe-eval'` does LS3 need that?)
3. Can anyone tell me how LS3 makes use of iframes? Would `frame-src 'self'` cause problems?
4. Same with forms - would `form-action 'self'` cause problems?
5. How does COMFORT UPDATE work? Would I need any URL's as exceptions on any CSP directives?
6. Can anyone recommend any sort of process or methodology for testing out any CSP I put in place?


Many thanks,
Andy

1: yes
2: yes
3 : no external iframe, maybe some internal one (for admin : preview theme for example)
4: No, think it's OK
5: only PHP curl, no JS
6: no … but i'm interested to have your test and process

Hi Denis,
Thanks so much for your quick reply - that's really helpful.

I'm posting what I've crafted so far in case it helps anyone.
I'll report back with any further info/failures/successes, and if I'm able to come up with anything useful for a testing process.

So based on the H5BP Apache Config Example here's what I've got so far:

Any comments on that would be great. For example I'm still wary of 'unsafe-eval' - is there any way to be sure that's definitely needed?

Thanks again,
Andy

No real comment,

except : if you can improve our manual (it's a wiki, same account than here).
www.limesurvey.org/manual/Installation_security_hints

Thanks Denis,
When I'm sure the CSP doesn't break anything, I'll add something to the manual, though I'd be happier if it were tested by a wider bunch of people first.
I guess I'll add a disclaimer in the first instance.

Andy

I start adding it in my demo website

Seems we need the 'unsafe-eval' … for public part …

Ok, thanks for testing that out.
It's good to know it's needed, even if it's better that it wasn't.
Which version of LS is that demo running?

Thanks

I quickly check public part on both : 3.X and 4.X

Ok, thanks.

@Denis, I finally got around to adding my CSP to the wiki.

Thanks,
Andy

I will try to suggested starting point, tinker with the settings and let you know what I find.

That being said, it might be useful for the developers (I am not skilled in this area) to consider recoding those snippets that might require policies like unsafe-eval.

Please submit a bug report.

Hello,

I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.

I guess I need to add to this:

add_header Content-Security-Policy "default-src 'self';" always;

Thanks in advance for any help available.

Cheers

Jason

Have you tried:
1. configuring CSP to send a report when there are infractions of the policy?
2. checking the browser console for any CSP errors?

With those two tools and visiting every possible page you should be able to detect what you wish to permit in your CSP.

Best to do this without any extensions in your browser, as some of them can inject code in the pages that might trigger CSP errors.

jlhollowell wrote:

Hello,

I'm new to the forums here and relatively new to Limesurvey. I've setup an instance running with Nginx and just discovered, when attempting to set up a content security policy header, that the basic header breaks Limesurvey...or at least the admin login page. I searched around trying to find some documentation here and this is where I ended up.

I guess I need to add to this:

add_header Content-Security-Policy "default-src 'self';" always;

Thanks in advance for any help available.

Cheers

Jason
 

Did you read the topic ?

Clearly written "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
Some post before.