Mitigate XSS Attacks with Content Security Policy

As promised, this feature was just enabled by default: CSP Frame Ancestors enabled by default

Hello,
I am currently setting up Google Adsense on my website and seems I am missing the “Enable CSP violation report collection at /csp_reports” settings… I am currently self-hosting Discourse on version 2.9.0.beta6

above, in quote, a screenshot of the setting I am missing

image1638×738 47.3 KB

Any help is appreciated ! And please tell me if I set-up the settings I have correctly for Adsense, I never used it before !

Apologies, my earlier replies here are outdated because as of ~ a month ago we made content_security_policy_collect_reports a hidden setting. You can still enable it but you need to do it via the Rails console, as in:

./launcher enter app
...
rails c 
...
SiteSetting.content_security_policy_collect_reports = true

Note that this is very noisy, I highly recommend not going down this route at all and simply enabling CSP and navigating the site with the browser console open using multiple browsers (Chrome, Firefox, Safari). You’ll find most issues that way. And with the configuration you have, you’re basically allowing almost all that CSP protects against anyway, so you shouldn’t have any need for the reports.

Maybe I am missing something, but I do not see these settings in the settings UI.

• content_security_policy
• content_security_policy_report_only
• content_security_policy_collect_reports (I see that is hidden now)
• content_security_policy_script_src

image1110×686 41.7 KB

Are these options available to hosted instances? I didn’t see any mention of that being a limitation in the original post or comments.

Edit: Also attempted to set the security policy through a theme.

Does not seem to be working as instructed in original post.

image764×212 11.5 KB

I’m assuming the hosted plan I’m on doesn’t allow this, even when done via a theme or theme component?

Or maybe I am just doing something totally wrong.

Currently, Discourse ships a CSP Level 2 policy with the following directives by default:

• base-uri restricts the URLs for <base> element

Is there any option to override the default value for the base-uri header?

Where are <base> elements actually used in discourse?

Would that break Discourse push notifications?

Could be. Might need a more suitable setting.

A post was split to a new topic: What’s the suggested method to use secure images?

Hi there,
May I know how to bypass the issue below? I have added the script invoking a new Function() expression into content_security_policy_script_src, but my browser console still complains below error. Where I can exclude the unsafe-eval? Thanks!

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:

Apologies. Please ignore my previous post if my below remarks are correct. Just know through above posts I can set ‘unsafe-eval’ directly to content_security_policy_script_src, and there’s no JS error reported in console any more.

Maybe have a look at the content security policy script src site setting?

Yes. As said in previous replies ‘unsafe-eval’ can be added directly to content_security_policy_script_src, I thought only URL base or full URL allowed to add.