Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2024-08-02 06:10:01

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

CSP issue with admin side

TXP 4.9-dev latest, localhost with php 8.3, remote host with php 8.2. Apache, MySQL 8 (local) or MariaDB 10.6 (remote).

  1. Enable a nonce- based CSP for the admin side through config.php
  2. access that admin side, go through a few panels, do something or other – create or edit an article, upload an image, ….

Visually every appears fine, and everything appears to work fine: article are saved or updated, images uploaded, pages, forms correctly edited. Great, a bit little more safety.

Look at the browser console: one or two error messages (or more if a plugin create an additional stylesheet?):

Refused to load the stylesheet 'https://l-c-n.com/textpattern/admin-themes/phw_sandspace/sndsp.min.css' because it violates the following Content Security Policy directive: "style-src-elem 'nonce-MzYyMDI2MGI0NDFmMDI4Yw=='".

The fact the both Safari and Brave (chromium) point to line 1 makes me think there is possibly something with the header itself

(try it here: l-c-n.com/textpattern/, you won’t be able to get past the login panel, but the error is in the console)

It does not matter which admin theme is active. Any one of them, if CSP ready, trigger the message(s). Those error messages are, I think, bogus. They are annoying though adding an element of useless noise.

The CSP directives are the standard one included in config-dist.php with only the script-src-attr directive modified to accommodate a plugin (shhht… smd_thumbnail).

Anyone seeing the same?

PS – locally also tested with a brand new vanilla install.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#2 2024-08-02 10:28:59

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,742
Website

Re: CSP issue with admin side

Interesting, and I’m not sure if it’s related, but can you also try to “save” and then to make further changes to an article and “save” again. Are the second set of changes also saved?

I’ve been adding CSP-capability to some plugins like glz_cf, bot_wtc and smd_tags and I have also seen a console message (not quite the same) on line 1 (from a background process?). In my case, changes made after an initial save were not being committed. I’ve not identified the cause yet, but couldn’t find anything I had overlooked in the plugin code. I’ve yet to get to the bottom of it.


TXP Builders – finely-crafted code, design and txp

Offline

#3 2024-08-02 12:12:20

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

Re: CSP issue with admin side

Ref. Saving and saving again: on localhost at least I have done that multiple times without any issue that I can remember. A quick test on the remote server works just as well. I don’t have any plugins or anything that might interfere with the Textpattern saving routine in any way though. I might test again with com_article_image over the WE to verify, but I think Oleg made sure all would work OK (I remember we tested with CSP active).

–^–

I do remember that it all worked fine (with a rather basic, default install at least) until late last year. That one error started appearing somewhere this year (April maybe??? not sure at all).

FWIW, on the public side with the smd_token plugin it all works fine.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#4 2024-08-03 03:32:56

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,638
GitHub Twitter

Re: CSP issue with admin side

One note: are you sure CSP credentials can be the same for different resources? (i.e. jquery.js, jquery-ui.js and sndsp-min.css)


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#5 2024-08-03 05:44:06

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

Re: CSP issue with admin side

Pat64 wrote #337541:

One note: are you sure CSP credentials can be the same for different resources? (i.e. jquery.js, jquery-ui.js and sndsp-min.css)

I don’t think that is a problem. The logic is: calls for resources must match a token set by the page before allowed, I think.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#6 2024-08-04 03:51:06

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,638
GitHub Twitter

Re: CSP issue with admin side

“The two most important things to remember when using a nonce, especially with respect to (CSP), is that we only use our nonce once (for one request), and the nonce should be so random that no one could guess it.”

See: https://content-security-policy.com/nonce/


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#7 2024-08-04 05:14:31

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

Re: CSP issue with admin side

By which I understand: a unique, random nonce is generated on page request, send with the relevant HTTP response header. All resources of type script, inline script-blocks and style must match this nonce when called. The page you linked to is not entirely clear though.

That is the Textpattern admins side implementation – for each page request (e.g.load the“Files” panel) a nonce is generated, etc. Navigate to any other panel, or reload the page, a new nonce is generated, and so on. See /lib/txplib_head.php (mechanism) and config_dist.php suggested sample for how to configure.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#8 2024-08-04 06:25:28

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,638
GitHub Twitter

Re: CSP issue with admin side

phiw13 wrote #337547:

[…] That is the Textpattern admins side implementation – for each page request (e.g.load the“Files” panel) a nonce is generated, etc. Navigate to any other panel, or reload the page, a new nonce is generated, and so on. See /lib/txplib_head.php (mechanism) and config_dist.php suggested sample for how to configure.

Thanks. A fairly clear explanation! ;)


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#9 2024-08-06 06:01:42

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

Re: CSP issue with admin side

I kinda fixed this – made the error message disappear – by slightly changing the style-src-elem directive, basically adding 'self' to the directive, like this:

"style-src-elem 'self' 'nonce-{TEXTPATTERN_CSP_NONCE}';"

See here for the original, suggested, syntax.

The various CSP “validators” like this one csp-evaluator.withgoogle.com/ find that a-OK. And it does restore and stabilise my delicate sense of chaos.

I am a little unclear as to the “why”, though…


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

Board footer

Powered by FluxBB