Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict base-uri in report-only CSP #15580

Merged
merged 1 commit into from
Nov 29, 2024
Merged

Restrict base-uri in report-only CSP #15580

merged 1 commit into from
Nov 29, 2024

Conversation

janbrasna
Copy link
Contributor

@janbrasna janbrasna commented Nov 27, 2024
edited
Loading

One-line summary

No <base href> is being used around the site, so this makes sure no malicious code can tamper with relative links. (Once moved from report-only; this is to surface any potential issues first.)

Significant changes and points to review

"Ensures that all relative URLs resolve to trusted origins, maintaining control over URL resolution behavior. Protects user experience and data by preventing exploitation of relative links."

Originally posted by @janbrasna in #15555 (comment):

"There don't seem to be any <base> elements set visibly from a quick search, and I also don't recall any env settings to inject it for some deployments (e.g. don't see it being used even in test.bedrock.nonprod.webservices.*) so the goal is perhaps to set it to 'none', right?
The public facing site should be fine, question is whether Wagtail doesn't need that for anything, but the only base use I can spot is in targets for opening new windows, so a RO test-drive should surface any violations, but hopefully there would be none."

Issue / Bugzilla link

#15555

Testing

This should have no impact on Wagtail previews, but please do test the CMS experience is intact, usage doesn't trigger any base-uri violations, thanks! 😗

To test this locally a couple of local env vars needs setting:

  • DEBUG=False — CSP headers aren't added while in DEBUG mode
  • CSP_RO_REPORT_URI=https://httpbin.org/post — the report-only header is added only with any endpoint set

@janbrasna janbrasna requested a review from a team as a code owner November 27, 2024 14:06
@janbrasna janbrasna mentioned this pull request Nov 27, 2024
Open
@codecov Codecov
Copy link

codecov bot commented Nov 27, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.01%. Comparing base (395be1b) to head (3b2174d).
Report is 14 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #15580   +/-   ##
=======================================
  Coverage   79.00%   79.01%           
=======================================
  Files         158      158           
  Lines        8303     8304    +1     
=======================================
+ Hits         6560     6561    +1     
  Misses       1743     1743

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

robhudson
robhudson approved these changes Nov 29, 2024
View reviewed changes
Copy link
Member

@robhudson robhudson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

As long as we're not using the href attribute in any <base> tags this should work, and from my understanding it won't impact wagtail's use of <base target=...>.

@robhudson robhudson merged commit 7bf93fd into mozilla:main Nov 29, 2024
5 checks passed
@janbrasna janbrasna deleted the add/base-uri-csp-report branch November 29, 2024 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robhudson robhudson robhudson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@janbrasna @robhudson