- Posts: 7
- Thank you received: 3
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Content Security Policy help
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
3 years 11 months ago #198760
by NPEUWebmaster
Content Security Policy help was created by NPEUWebmaster
Hi,
I'm setting up a Apache server for a LimeSurvey 3 installation, and I'd like to craft a suitable Content-Security-Policy for it.
I'm having trouble finding the answers to some questions I have.
Please note I'm not really a LimeSurvey user, so please forgive anything that might seem obvious.
Firstly, is there an example of a good CSP for LS3 anywhere? I've Googled but I couldn't find much.
Otherwise, could someone please help me answer some questions or point me in the right direction:
1. Does LS3 use inline styles anywhere? (if so I'd need `style-src 'self' 'unsafe-inline'`)
2. Does LS3 use inline scripts anywhere? (if so I'd need `script-src 'self' 'unsafe-inline'` - also what about `'unsafe-eval'` does LS3 need that?)
3. Can anyone tell me how LS3 makes use of iframes? Would `frame-src 'self'` cause problems?
4. Same with forms - would `form-action 'self'` cause problems?
5. How does COMFORT UPDATE work? Would I need any URL's as exceptions on any CSP directives?
6. Can anyone recommend any sort of process or methodology for testing out any CSP I put in place?
Many thanks,
Andy
I'm setting up a Apache server for a LimeSurvey 3 installation, and I'd like to craft a suitable Content-Security-Policy for it.
I'm having trouble finding the answers to some questions I have.
Please note I'm not really a LimeSurvey user, so please forgive anything that might seem obvious.
Firstly, is there an example of a good CSP for LS3 anywhere? I've Googled but I couldn't find much.
Otherwise, could someone please help me answer some questions or point me in the right direction:
1. Does LS3 use inline styles anywhere? (if so I'd need `style-src 'self' 'unsafe-inline'`)
2. Does LS3 use inline scripts anywhere? (if so I'd need `script-src 'self' 'unsafe-inline'` - also what about `'unsafe-eval'` does LS3 need that?)
3. Can anyone tell me how LS3 makes use of iframes? Would `frame-src 'self'` cause problems?
4. Same with forms - would `form-action 'self'` cause problems?
5. How does COMFORT UPDATE work? Would I need any URL's as exceptions on any CSP directives?
6. Can anyone recommend any sort of process or methodology for testing out any CSP I put in place?
Many thanks,
Andy
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13648
- Thank you received: 2491
3 years 11 months ago #198761
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Content Security Policy help
1: yes
2: yes
3 : no external iframe, maybe some internal one (for admin : preview theme for example)
4: No, think it's OK
5: only PHP curl, no JS
6: no … but i'm interested to have your test and process
2: yes
3 : no external iframe, maybe some internal one (for admin : preview theme for example)
4: No, think it's OK
5: only PHP curl, no JS
6: no … but i'm interested to have your test and process
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
- Posts: 7
- Thank you received: 3
3 years 11 months ago #198763
by NPEUWebmaster
Replied by NPEUWebmaster on topic Content Security Policy help
Hi Denis,
Thanks so much for your quick reply - that's really helpful.
I'm posting what I've crafted so far in case it helps anyone.
I'll report back with any further info/failures/successes, and if I'm able to come up with anything useful for a testing process.
So based on the H5BP Apache Config Example here's what I've got so far:
Any comments on that would be great. For example I'm still wary of 'unsafe-eval' - is there any way to be sure that's definitely needed?
Thanks again,
Andy
Thanks so much for your quick reply - that's really helpful.
I'm posting what I've crafted so far in case it helps anyone.
I'll report back with any further info/failures/successes, and if I'm able to come up with anything useful for a testing process.
So based on the H5BP Apache Config Example here's what I've got so far:
Code:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
Any comments on that would be great. For example I'm still wary of 'unsafe-eval' - is there any way to be sure that's definitely needed?
Thanks again,
Andy
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13648
- Thank you received: 2491
3 years 11 months ago #198865
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Content Security Policy help
No real comment,
except : if you can improve our manual (it's a wiki, same account than here).
manual.limesurvey.org/Installation_security_hints
except : if you can improve our manual (it's a wiki, same account than here).
manual.limesurvey.org/Installation_security_hints
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
- Posts: 7
- Thank you received: 3
3 years 11 months ago #198959
by NPEUWebmaster
Replied by NPEUWebmaster on topic Content Security Policy help
Thanks Denis,
When I'm sure the CSP doesn't break anything, I'll add something to the manual, though I'd be happier if it were tested by a wider bunch of people first.
I guess I'll add a disclaimer in the first instance.
Andy
When I'm sure the CSP doesn't break anything, I'll add something to the manual, though I'd be happier if it were tested by a wider bunch of people first.
I guess I'll add a disclaimer in the first instance.
Andy
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13648
- Thank you received: 2491
3 years 11 months ago #198991
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Content Security Policy help
I start adding it in my demo website
Seems we need the 'unsafe-eval' … for public part …
Seems we need the 'unsafe-eval' … for public part …
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
- Posts: 7
- Thank you received: 3
3 years 11 months ago #199036
by NPEUWebmaster
Replied by NPEUWebmaster on topic Content Security Policy help
Ok, thanks for testing that out.
It's good to know it's needed, even if it's better that it wasn't.
Which version of LS is that demo running?
Thanks
It's good to know it's needed, even if it's better that it wasn't.
Which version of LS is that demo running?
Thanks
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13648
- Thank you received: 2491
3 years 11 months ago #199040
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Content Security Policy help
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
- Posts: 7
- Thank you received: 3
3 years 11 months ago #199116
by NPEUWebmaster
Replied by NPEUWebmaster on topic Content Security Policy help
Ok, thanks.
The topic has been locked.
- NPEUWebmaster
- Topic Author
- Offline
- New Member
Less
More
- Posts: 7
- Thank you received: 3
3 years 3 months ago #210298
by NPEUWebmaster
Replied by NPEUWebmaster on topic Content Security Policy help
@Denis, I finally got around to adding my CSP to the wiki.
Thanks,
Andy
Thanks,
Andy
The following user(s) said Thank You: DenisChenu
The topic has been locked.
- jcarberry
- Offline
- New Member
Less
More
- Posts: 10
- Thank you received: 2
3 years 2 months ago #211442
by jcarberry
Replied by jcarberry on topic Content Security Policy help
I will try to suggested starting point, tinker with the settings and let you know what I find.
That being said, it might be useful for the developers (I am not skilled in this area) to consider recoding those snippets that might require policies like unsafe-eval.
That being said, it might be useful for the developers (I am not skilled in this area) to consider recoding those snippets that might require policies like unsafe-eval.
The topic has been locked.
- tpartner
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 10109
- Thank you received: 3595
3 years 2 months ago #211485
by tpartner
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Replied by tpartner on topic Content Security Policy help
Please submit a bug report.
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The following user(s) said Thank You: DenisChenu
The topic has been locked.