Bug #41160
closeddo not set Content-Security-Policy (CSP) headers for docs.ceph.com
0%
Description
sphinx uses inline style and javascript. and a modern browser supporting Content Security Policy refuses to load such kind of style and javascript if the HTTP header returned by webserver does not allow the browser to load resources from unlisted sources.
following is a response when accessing https://docs.ceph.com/ceph-prs/29544/search/?q=crimson
Response HTTP/1.1 200 OK Content-Type: text/html Content-Security-Policy: default-src 'self'; script-src 'self' Content-Encoding: gzip X-XSS-Protection: 1; mode=block Transfer-Encoding: Identity Date: Thu, 08 Aug 2019 11:32:47 GMT Connection: keep-alive X-Content-Type-Options: nosniff ETag: W/"5d4c07e0-186d" X-Frame-Options: SAMEORIGIN Last-Modified: Thu, 08 Aug 2019 11:30:40 GMT Server: nginx Strict-Transport-Security: max-age=31536000
so, it only allows "self" style sheets and javascripts loaded from the same place where the document is being loaded. because CSP uses a whitelist apporach. this setting literally prevent the browser from loading the inlined style and javascript. hence it hurts the functionality and user experience of accessing webpages rendered using the default sphinx template, which is not 100% CSP friendly.
if we keep this setting on the webserver, there is no way to override it. so i am wondering if we can change our nginx setting to remove the "Content-Security-Policy" settings or at least to add
<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'self';script-src 'unsafe-inline' 'self' http://ayni.ceph.com;script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com;style-src 'unsafe-inline' 'self' https://fonts.googleapis.com;style-src-elem 'unsafe-inline' 'self';font-src https://fonts.googleapis.com https://fonts.gstatic.com" />
but i am inclined to just drop it so we can add the settings programmatically.
the related PR is located at https://github.com/ceph/ceph/pull/29544
Updated by Kefu Chai over 4 years ago
sphinx community is aware of this issue. see also https://trello.com/c/848lTtan/3115-sphinx-doc-sphinx-content-security-policy-3620
Updated by Sebastian Wagner over 4 years ago
- Priority changed from Normal to High
This issue breaks the search of https://docs.ceph.com/ in some browsers now. Raising priority to High.
Updated by David Galloway over 4 years ago
- Status changed from New to 17
OK, I updated the header and see the Javascript error goes away on the search page.
Is this breaking anything anywhere else that you know of?
Updated by Kefu Chai over 4 years ago
weird, i can still see the JavaScript error in https://docs.ceph.com/docs/master/search/?q=crimson.
now we have:
$ curl -I https://docs.ceph.com/docs/master HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 20 Aug 2019 07:04:44 GMT Content-Type: text/html Content-Length: 178 Location: https://docs.ceph.com/docs/master/ Connection: keep-alive Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self'; script-src 'self' Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; script-src-elem 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; style-src-elem 'unsafe-inline' 'self'; font-src https://fonts.googleapis.com https://fonts.gstatic.com
and i tested using chromium 76, it complains:
Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Titillium+Web:400,300,700' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Titillium+Web:400,300,700' because it violates the following Content Security Policy directive: "style-src-elem 'unsafe-inline' 'self'".
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-4IfJmohiqxpxzt6KnJiLmxBD72c3jkRoQ+8K5HT5K8o='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to connect to 'http://docs.ceph.com/docs/master/releases.json' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
so i think we need to
- drop "Content-Security-Policy: default-src 'self'; script-src 'self'" from the header
and change the second "Content-Security-Policy" to:
default-src 'unsafe-inline' 'self' https://docs.ceph.com/; script-src 'unsafe-inline' 'self' http://ayni.ceph.com; script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; style-src-elem 'unsafe-inline' 'self' https://fonts.googleapis.com; font-src https://fonts.googleapis.com https://fonts.gstatic.com"
Updated by David Galloway over 4 years ago
Oh, that is embarrassing. I forgot to comment out the original Content-Security-Policy "default-src 'self'; script-src 'self'"
Is it okay now?
Updated by Kefu Chai over 4 years ago
thank you David! much better! now the header looks like
HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 22 Aug 2019 08:10:17 GMT Content-Type: text/html Content-Length: 178 Location: https://docs.ceph.com/docs/master/ Connection: keep-alive Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; script-src-elem 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; style-src-elem 'unsafe-inline' 'self'; font-src https://fonts.googleapis.com https://fonts.gstatic.com
so we are able to load inline javascript and style sheets.
but we still cannot load two resources:
[Error] Refused to load https://fonts.googleapis.com/css?family=Titillium+Web:400,300,700 because it does not appear in the style-src directive of the Content Security Policy.
after applying https://github.com/ceph/ceph/pull/29544.
so could you change the new "Content-Security-Policy" to
default-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com; style-src-elem 'unsafe-inline' 'self' https://fonts.googleapis.com; font-src https://fonts.googleapis.com https://fonts.gstatic.com"
?
where "https://fonts.googleapis.com" is added to "style-src" and "style-src-elem" to cater the needs of different browsers.
Updated by David Galloway over 4 years ago
Done. I think the fonts are all back to normal now. I really appreciate you doing the research/debugging on this!
Updated by Kefu Chai over 4 years ago
- Status changed from 17 to Resolved
as always, thank you, David! the texts rendered with "Titillium Web" in https://docs.ceph.com/ceph-prs/29544/search/?q=crimson look awesome!