Hi,

I'm setting up a Apache server for a LimeSurvey 3 installation, and I'd like to craft a suitable Content-Security-Policy for it.
I'm having trouble finding the answers to some questions I have.
Please note I'm not really a LimeSurvey user, so please forgive anything that might seem obvious.

Firstly, is there an example of a good CSP for LS3 anywhere? I've Googled but I couldn't find much.

Otherwise, could someone please help me answer some questions or point me in the right direction:

1. Does LS3 use inline styles anywhere? (if so I'd need `style-src 'self' 'unsafe-inline'`)
2. Does LS3 use inline scripts anywhere? (if so I'd need `script-src 'self' 'unsafe-inline'` - also what about `'unsafe-eval'` does LS3 need that?)
3. Can anyone tell me how LS3 makes use of iframes? Would `frame-src 'self'` cause problems?
4. Same with forms - would `form-action 'self'` cause problems?
5. How does COMFORT UPDATE work? Would I need any URL's as exceptions on any CSP directives?
6. Can anyone recommend any sort of process or methodology for testing out any CSP I put in place?


Many thanks,
Andy

1: yes
2: yes
3 : no external iframe, maybe some internal one (for admin : preview theme for example)
4: No, think it's OK
5: only PHP curl, no JS
6: no … but i'm interested to have your test and process

Hi Denis,
Thanks so much for your quick reply - that's really helpful.

I'm posting what I've crafted so far in case it helps anyone.
I'll report back with any further info/failures/successes, and if I'm able to come up with anything useful for a testing process.

So based on the H5BP Apache Config Example here's what I've got so far:

Any comments on that would be great. For example I'm still wary of 'unsafe-eval' - is there any way to be sure that's definitely needed?

Thanks again,
Andy

No real comment,

except : if you can improve our manual (it's a wiki, same account than here).
manual.limesurvey.org/Installation_security_hints

Thanks Denis,
When I'm sure the CSP doesn't break anything, I'll add something to the manual, though I'd be happier if it were tested by a wider bunch of people first.
I guess I'll add a disclaimer in the first instance.

Andy

I start adding it in my demo website

Seems we need the 'unsafe-eval' … for public part …

Ok, thanks for testing that out.
It's good to know it's needed, even if it's better that it wasn't.
Which version of LS is that demo running?

Thanks

I quickly check public part on both : 3.X and 4.X

Ok, thanks.

@Denis, I finally got around to adding my CSP to the wiki.

Thanks,
Andy

I will try to suggested starting point, tinker with the settings and let you know what I find.

That being said, it might be useful for the developers (I am not skilled in this area) to consider recoding those snippets that might require policies like unsafe-eval.

Please submit a bug report.