Opened 7 years ago
Last modified 7 years ago
#5894 assigned Enhancement
Content Security Policy for WebUI
Reported by: | Ancient | Owned by: | mike.dld |
---|---|---|---|
Priority: | Normal | Milestone: | None Set |
Component: | Web Client | Version: | 2.84 |
Severity: | Normal | Keywords: | |
Cc: |
Description
A Content Security Policy is a whitelist for web applications that allows us to define all of the actions a web application make take. It requires a developer to maintain strict separation of markup, presentation and application logic and in exchange nerfs the impact of XSS and other injection attacks.
The patch I am attaching includes the following rules:
- The WebUI may not include styles, scripts, images, fonts, or send XHRs outside of itself.
- The WebUI may never be embedded in a frame (if you find this rule controversial, I can remove it).
- The WebUI may never submit a form (the current code catches forms with javascript rather than submitting them).
To make this happen the following changes were necessary:
- Using the HTML5 hidden attribute instead of the style attribute to hide elements.
- CSS polyfill for older browsers to support the above attribute.
- jQuery was updated to a version with CSP fixes included.
- jQuery migrate was added to include deprecated jQuery functionality.
- jQuery UI and the smoothness theme were both updated.
I have tested the latest version of every major browser for bugs and found no regressions (although a couple visual bugs). I have also attempted to retain identical support for legacy browsers.
It is notable that this patch is expected to break all external WebUIs. If this patch interests you, I will submit pull requests to the following 3rd party WebUIs over the course of the next week or two so they can be ready for this change.
- https://github.com/killemov/Shift
- https://github.com/ronggang/transmission-web-control
- https://github.com/endor/kettu
As always I'm open to feedback.
Attachments (4)
Change History (10)
Changed 7 years ago by Ancient
comment:1 Changed 7 years ago by Ancient
Here is a summary of all the changes that were not included due to the attachment size limit or being images.
- A web/javascript/jquery/jquery-migrate.min.js
- A web/javascript/jquery/jquery-ui.min.js
- M web/javascript/jquery/jquery.min.js
- D web/javascript/jquery/jqueryui-1.8.16.min.js
- M web/style/jqueryui/images/ui-bg_flat_75_ffffff_40x100.png
- M web/style/jqueryui/images/ui-bg_glass_65_ffffff_1x400.png
- M web/style/jqueryui/images/ui-bg_glass_75_dadada_1x400.png
- M web/style/jqueryui/images/ui-bg_glass_75_e6e6e6_1x400.png
- M web/style/jqueryui/images/ui-bg_highlight-soft_75_cccccc_1x100.png
- M web/style/jqueryui/images/ui-icons_222222_256x240.png
- M web/style/jqueryui/images/ui-icons_454545_256x240.png
- A web/style/jqueryui/images/ui-icons_888888_256x240.png
- D web/style/jqueryui/jqueryui-1.8.16.css
- A web/style/jqueryui/smoothness.min.css
Changed 7 years ago by Ancient
Latest CSP patch, reworks callback code in dialog.js to remove eval(). Obsoletes previous patches.
comment:2 Changed 7 years ago by mike.dld
Closed #5931 as duplicate of this one.
comment:3 Changed 7 years ago by mike.dld
I've updated jQuery and jQuery UI in r14506 since this was planned anyway. I'm also inclined to merge "hidden" attribute changes. As for the main change proposed (adding "Content-Security-Policy" header), it'll have to wait for someone else to approve.
comment:4 Changed 7 years ago by mike.dld
comment:5 Changed 7 years ago by mike.dld
- Owner set to mike.dld
- Status changed from new to assigned
comment:6 Changed 7 years ago by Ancient
Shift is ready for CSP with only minor regressions.
They have merged all of the most important changes, but had reservations about ceasing the use of data URIs. The only lost functionality from the data URIs is backgrounds being solid colors rather than gradients and no sound effects. I have discussed these issues with them and don't consider the remaining issues to be blockers, as the webui will continue to function.
transmission-web-control will never be ready.
I have sent multiple emails to the authors of jQuery EasyUI about the changes required to get it ready for CSP. I have offered them patches and tried to discuss the technical details. They are no longer responding to my emails and seem to have no interest in ever being compatible with CSP. Because transmission-web-control is entirely built upon this framework it can never be compatible with CSP.
kettu has nothing to report yet.
The developers presumably haven't reviewed the first pull request yet.
Patch (minus images and 3rd party libraries)