CSP issue with admin side

phiw13 · 2024-08-02 06:10:01

TXP 4.9-dev latest, localhost with php 8.3, remote host with php 8.2. Apache, MySQL 8 (local) or MariaDB 10.6 (remote).

Enable a nonce- based CSP for the admin side through config.php
access that admin side, go through a few panels, do something or other – create or edit an article, upload an image, ….

Visually every appears fine, and everything appears to work fine: article are saved or updated, images uploaded, pages, forms correctly edited. Great, a bit little more safety.

Look at the browser console: one or two error messages (or more if a plugin create an additional stylesheet?):

Refused to load the stylesheet 'https://l-c-n.com/textpattern/admin-themes/phw_sandspace/sndsp.min.css' because it violates the following Content Security Policy directive: "style-src-elem 'nonce-MzYyMDI2MGI0NDFmMDI4Yw=='".

The fact the both Safari and Brave (chromium) point to line 1 makes me think there is possibly something with the header itself

(try it here: l-c-n.com/textpattern/, you won’t be able to get past the login panel, but the error is in the console)

It does not matter which admin theme is active. Any one of them, if CSP ready, trigger the message(s). Those error messages are, I think, bogus. They are annoying though adding an element of useless noise.

The CSP directives are the standard one included in config-dist.php with only the script-src-attr directive modified to accommodate a plugin (shhht… smd_thumbnail).

Anyone seeing the same?

PS – locally also tested with a brand new vanilla install.

jakob · 2024-08-02 10:28:59

Interesting, and I’m not sure if it’s related, but can you also try to “save” and then to make further changes to an article and “save” again. Are the second set of changes also saved?

I’ve been adding CSP-capability to some plugins like glz_cf, bot_wtc and smd_tags and I have also seen a console message (not quite the same) on line 1 (from a background process?). In my case, changes made after an initial save were not being committed. I’ve not identified the cause yet, but couldn’t find anything I had overlooked in the plugin code. I’ve yet to get to the bottom of it.

phiw13 · 2024-08-02 12:12:20

Ref. Saving and saving again: on localhost at least I have done that multiple times without any issue that I can remember. A quick test on the remote server works just as well. I don’t have any plugins or anything that might interfere with the Textpattern saving routine in any way though. I might test again with com_article_image over the WE to verify, but I think Oleg made sure all would work OK (I remember we tested with CSP active).

–^–

I do remember that it all worked fine (with a rather basic, default install at least) until late last year. That one error started appearing somewhere this year (April maybe??? not sure at all).

FWIW, on the public side with the smd_token plugin it all works fine.

Pat64 · 2024-08-03 03:32:56

One note: are you sure CSP credentials can be the same for different resources? (i.e. jquery.js, jquery-ui.js and sndsp-min.css)

phiw13 · 2024-08-03 05:44:06

Pat64 wrote #337541:

One note: are you sure CSP credentials can be the same for different resources? (i.e. jquery.js, jquery-ui.js and sndsp-min.css)

I don’t think that is a problem. The logic is: calls for resources must match a token set by the page before allowed, I think.

Pat64 · 2024-08-04 03:51:06

“The two most important things to remember when using a nonce, especially with respect to (CSP), is that we only use our nonce once (for one request), and the nonce should be so random that no one could guess it.”

See: https://content-security-policy.com/nonce/

phiw13 · 2024-08-04 05:14:31

By which I understand: a unique, random nonce is generated on page request, send with the relevant HTTP response header. All resources of type script, inline script-blocks and style must match this nonce when called. The page you linked to is not entirely clear though.

That is the Textpattern admins side implementation – for each page request (e.g.load the“Files” panel) a nonce is generated, etc. Navigate to any other panel, or reload the page, a new nonce is generated, and so on. See /lib/txplib_head.php (mechanism) and config_dist.php suggested sample for how to configure.

Pat64 · 2024-08-04 06:25:28

phiw13 wrote #337547:

[…] That is the Textpattern admins side implementation – for each page request (e.g.load the“Files” panel) a nonce is generated, etc. Navigate to any other panel, or reload the page, a new nonce is generated, and so on. See /lib/txplib_head.php (mechanism) and config_dist.php suggested sample for how to configure.

Thanks. A fairly clear explanation! ;)

phiw13 · 2024-08-06 06:01:42

I kinda fixed this – made the error message disappear – by slightly changing the style-src-elem directive, basically adding 'self' to the directive, like this:

"style-src-elem 'self' 'nonce-{TEXTPATTERN_CSP_NONCE}';"

See here for the original, suggested, syntax.

The various CSP “validators” like this one csp-evaluator.withgoogle.com/ find that a-OK. And it does restore and stabilise my delicate sense of chaos.

I am a little unclear as to the “why”, though…

Textpattern CMS

Textpattern CMS support forum

#1 2024-08-02 06:10:01