Opened 6 years ago

Last modified 5 years ago

#5894 assigned Enhancement

Content Security Policy for WebUI

Reported by: Ancient Owned by: mike.dld
Priority: Normal Milestone: None Set
Component: Web Client Version: 2.84
Severity: Normal Keywords:
Cc:

Description

A Content Security Policy is a whitelist for web applications that allows us to define all of the actions a web application make take. It requires a developer to maintain strict separation of markup, presentation and application logic and in exchange nerfs the impact of XSS and other injection attacks.

The patch I am attaching includes the following rules:

  • The WebUI may not include styles, scripts, images, fonts, or send XHRs outside of itself.
  • The WebUI may never be embedded in a frame (if you find this rule controversial, I can remove it).
  • The WebUI may never submit a form (the current code catches forms with javascript rather than submitting them).

To make this happen the following changes were necessary:

  • Using the HTML5 hidden attribute instead of the style attribute to hide elements.
  • CSS polyfill for older browsers to support the above attribute.
  • jQuery was updated to a version with CSP fixes included.
  • jQuery migrate was added to include deprecated jQuery functionality.
  • jQuery UI and the smoothness theme were both updated.

I have tested the latest version of every major browser for bugs and found no regressions (although a couple visual bugs). I have also attempted to retain identical support for legacy browsers.

It is notable that this patch is expected to break all external WebUIs. If this patch interests you, I will submit pull requests to the following 3rd party WebUIs over the course of the next week or two so they can be ready for this change.

As always I'm open to feedback.

Attachments (4)

csp.patch (34.3 KB) - added by Ancient 6 years ago.
Patch (minus images and 3rd party libraries)
csp-internal.patch (18.6 KB) - added by Ancient 6 years ago.
All changes required excluding 3rd party libraries and images
csp-v3.patch (21.8 KB) - added by Ancient 6 years ago.
Latest CSP patch, reworks callback code in dialog.js to remove eval(). Obsoletes previous patches.
csp-v4.patch (788 bytes) - added by Ancient 6 years ago.
Patch rebased against latest commits

Download all attachments as: .zip

Change History (10)

Changed 6 years ago by Ancient

Patch (minus images and 3rd party libraries)

Changed 6 years ago by Ancient

All changes required excluding 3rd party libraries and images

Changed 6 years ago by Ancient

Latest CSP patch, reworks callback code in dialog.js to remove eval(). Obsoletes previous patches.

comment:2 Changed 6 years ago by mike.dld

Closed #5931 as duplicate of this one.

comment:3 Changed 6 years ago by mike.dld

I've updated jQuery and jQuery UI in r14506 since this was planned anyway. I'm also inclined to merge "hidden" attribute changes. As for the main change proposed (adding "Content-Security-Policy" header), it'll have to wait for someone else to approve.

comment:4 Changed 6 years ago by mike.dld

Committed style (r14510) and eval (r14511) changes.

comment:5 Changed 6 years ago by mike.dld

  • Owner set to mike.dld
  • Status changed from new to assigned

Changed 6 years ago by Ancient

Patch rebased against latest commits

comment:6 Changed 5 years ago by Ancient

Shift is ready for CSP with only minor regressions.

They have merged all of the most important changes, but had reservations about ceasing the use of data URIs. The only lost functionality from the data URIs is backgrounds being solid colors rather than gradients and no sound effects. I have discussed these issues with them and don't consider the remaining issues to be blockers, as the webui will continue to function.

transmission-web-control will never be ready.

I have sent multiple emails to the authors of jQuery EasyUI about the changes required to get it ready for CSP. I have offered them patches and tried to discuss the technical details. They are no longer responding to my emails and seem to have no interest in ever being compatible with CSP. Because transmission-web-control is entirely built upon this framework it can never be compatible with CSP.

kettu has nothing to report yet.

The developers presumably haven't reviewed the first pull request yet.

Note: See TracTickets for help on using tickets.