Mitigate XSS Attacks with Content Security Policy

As promised, this feature was just enabled by default: CSP Frame Ancestors enabled by default

10 Likes

Hello,
I am currently setting up Google Adsense on my website and seems I am missing the ā€œEnable CSP violation report collection at /csp_reportsā€ settingsā€¦ I am currently self-hosting Discourse on version 2.9.0.beta6

above, in quote, a screenshot of the setting I am missing


above, my setting page for CSP with the ā€œEnable CSP violation report collection at /csp_reportsā€ missing.

Any help is appreciated ! And please tell me if I set-up the settings I have correctly for Adsense, I never used it before :eyes: !

3 Likes

Apologies, my earlier replies here are outdated because as of ~ a month ago we made content_security_policy_collect_reports a hidden setting. You can still enable it but you need to do it via the Rails console, as in:

./launcher enter app
...
rails c 
...
SiteSetting.content_security_policy_collect_reports = true

Note that this is very noisy, I highly recommend not going down this route at all and simply enabling CSP and navigating the site with the browser console open using multiple browsers (Chrome, Firefox, Safari). Youā€™ll find most issues that way. And with the configuration you have, youā€™re basically allowing almost all that CSP protects against anyway, so you shouldnā€™t have any need for the reports.

5 Likes

Maybe I am missing something, but I do not see these settings in the settings UI.

  • content_security_policy
  • content_security_policy_report_only
  • content_security_policy_collect_reports (I see that is hidden now)
  • content_security_policy_script_src

Are these options available to hosted instances? I didnā€™t see any mention of that being a limitation in the original post or comments.

Edit: Also attempted to set the security policy through a theme.

Does not seem to be working as instructed in original post.

image

Iā€™m assuming the hosted plan Iā€™m on doesnā€™t allow this, even when done via a theme or theme component?

Or maybe I am just doing something totally wrong.

1 Like

Currently, Discourse ships a CSP Level 2 policy with the following directives by default:

  • base-uri restricts the URLs for <base> element

Is there any option to override the default value for the base-uri header?

1 Like

Where are <base> elements actually used in discourse?

Would that break Discourse push notifications?

Could be. Might need a more suitable setting.

1 Like

A post was split to a new topic: Whatā€™s the suggested method to use secure images?

Hi there,
May I know how to bypass the issue below? I have added the script invoking a new Function() expression into content_security_policy_script_src, but my browser console still complains below error. Where I can exclude the unsafe-eval? Thanks!

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:

1 Like

Apologies. Please ignore my previous post if my below remarks are correct. Just know through above posts I can set ā€˜unsafe-evalā€™ directly to content_security_policy_script_src, and thereā€™s no JS error reported in console any more.

1 Like

Maybe have a look at the content security policy script src site setting?

1 Like

Yes. As said in previous replies ā€˜unsafe-evalā€™ can be added directly to content_security_policy_script_src, I thought only URL base or full URL allowed to add.

1 Like