Project

General

Profile

Bug #41160

do not set Content-Security-Policy (CSP) headers for docs.ceph.com

Added by Kefu Chai about 1 month ago. Updated 21 days ago.

Status:
Resolved
Priority:
High
Category:
Infrastructure Service
Target version:
-
Start date:
08/08/2019
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:

Description

sphinx uses inline style and javascript. and a modern browser supporting Content Security Policy refuses to load such kind of style and javascript if the HTTP header returned by webserver does not allow the browser to load resources from unlisted sources.

following is a response when accessing https://docs.ceph.com/ceph-prs/29544/search/?q=crimson

Response
HTTP/1.1 200 OK
Content-Type: text/html
Content-Security-Policy: default-src 'self'; script-src 'self'
Content-Encoding: gzip
X-XSS-Protection: 1; mode=block
Transfer-Encoding: Identity
Date: Thu, 08 Aug 2019 11:32:47 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
ETag: W/"5d4c07e0-186d" 
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 08 Aug 2019 11:30:40 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000

so, it only allows "self" style sheets and javascripts loaded from the same place where the document is being loaded. because CSP uses a whitelist apporach. this setting literally prevent the browser from loading the inlined style and javascript. hence it hurts the functionality and user experience of accessing webpages rendered using the default sphinx template, which is not 100% CSP friendly.

if we keep this setting on the webserver, there is no way to override it. so i am wondering if we can change our nginx setting to remove the "Content-Security-Policy" settings or at least to add

<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'self';script-src 'unsafe-inline' 'self' http://ayni.ceph.com;script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com;style-src 'unsafe-inline' 'self' https://fonts.googleapis.com;style-src-elem 'unsafe-inline' 'self';font-src https://fonts.googleapis.com https://fonts.gstatic.com" />

but i am inclined to just drop it so we can add the settings programmatically.

the related PR is located at https://github.com/ceph/ceph/pull/29544

History

#1 Updated by Kefu Chai about 1 month ago

#2 Updated by Sebastian Wagner 29 days ago

  • Priority changed from Normal to High

This issue breaks the search of https://docs.ceph.com/ in some browsers now. Raising priority to High.

#3 Updated by David Galloway 29 days ago

  • Status changed from New to Need Test

OK, I updated the header and see the Javascript error goes away on the search page.

Is this breaking anything anywhere else that you know of?

#4 Updated by Kefu Chai 28 days ago

weird, i can still see the JavaScript error in https://docs.ceph.com/docs/master/search/?q=crimson.

now we have:

$ curl -I https://docs.ceph.com/docs/master
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 20 Aug 2019 07:04:44 GMT
Content-Type: text/html
Content-Length: 178
Location: https://docs.ceph.com/docs/master/
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; script-src 'self'
Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; script-src-elem 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; style-src-elem 'unsafe-inline' 'self'; font-src https://fonts.googleapis.com https://fonts.gstatic.com

and i tested using chromium 76, it complains:

Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Titillium+Web:400,300,700' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Titillium+Web:400,300,700' because it violates the following Content Security Policy directive: "style-src-elem 'unsafe-inline' 'self'".

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-4IfJmohiqxpxzt6KnJiLmxBD72c3jkRoQ+8K5HT5K8o='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to connect to 'http://docs.ceph.com/docs/master/releases.json' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

so i think we need to

  • drop "Content-Security-Policy: default-src 'self'; script-src 'self'" from the header

and change the second "Content-Security-Policy" to:


default-src 'unsafe-inline' 'self' https://docs.ceph.com/;
script-src 'unsafe-inline' 'self' http://ayni.ceph.com;
script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com;
style-src 'unsafe-inline' 'self' https://fonts.googleapis.com;
style-src-elem 'unsafe-inline' 'self' https://fonts.googleapis.com;
font-src https://fonts.googleapis.com https://fonts.gstatic.com" 

#5 Updated by David Galloway 27 days ago

Oh, that is embarrassing. I forgot to comment out the original Content-Security-Policy "default-src 'self'; script-src 'self'"

Is it okay now?

#6 Updated by Kefu Chai 26 days ago

thank you David! much better! now the header looks like

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 22 Aug 2019 08:10:17 GMT
Content-Type: text/html
Content-Length: 178
Location: https://docs.ceph.com/docs/master/
Connection: keep-alive
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'self'; script-src-elem 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; style-src-elem 'unsafe-inline' 'self'; font-src https://fonts.googleapis.com https://fonts.gstatic.com

so we are able to load inline javascript and style sheets.

but we still cannot load two resources:

[Error] Refused to load https://fonts.googleapis.com/css?family=Titillium+Web:400,300,700 because it does not appear in the style-src directive of the Content Security Policy.

after applying https://github.com/ceph/ceph/pull/29544.

so could you change the new "Content-Security-Policy" to

default-src 'unsafe-inline' 'self';
script-src 'unsafe-inline' 'self';
script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com;
style-src 'unsafe-inline' 'self' https://fonts.googleapis.com;
style-src-elem 'unsafe-inline' 'self' https://fonts.googleapis.com;
font-src https://fonts.googleapis.com https://fonts.gstatic.com" 

?

where "https://fonts.googleapis.com" is added to "style-src" and "style-src-elem" to cater the needs of different browsers.

#7 Updated by David Galloway 26 days ago

Done. I think the fonts are all back to normal now. I really appreciate you doing the research/debugging on this!

#8 Updated by Kefu Chai 26 days ago

  • Status changed from Need Test to Resolved

as always, thank you, David! the texts rendered with "Titillium Web" in https://docs.ceph.com/ceph-prs/29544/search/?q=crimson look awesome!

Also available in: Atom PDF