RW & addons in general, CSP3 and unsafe-inline Javascripts


(Tomas Jakobs) #1

I’ve been always proud to get A-Rankings in Mozilla Observatory and Googles CSP Validators. Unfortunately Foundation makes use of ‘unsafe-inline’ Javascripts and so my Website is now degraded to B+. This is not acceptable cause I am operating in the security and privacy business. So I am now thinking about kicking Foundation in favor of other Frameworks. Anybody here with same thoughts on this? Any suggestions?


Moving to https - simpler than expected?
(Joe Workman) #2

I can appreciate being proud of getting a good grade on your website. This is actually the first time that I have heard of these CSP test sites. However, if you are going to be making public accusations like this, you better have some data to back it up.

  • You never give a URL to either the test site or your own. I search around and could not find this particular test. I could not find any CSP Validator from Google.
  • If your site was an A before, what changed? Were you not using Foundation before?
  • How do we know that its Foundation? I assume that you my have many other stacks on the page.
  • What “unsafe script” does this test think that you have?

If you provide the data, I would be happy to look at it. If we uncover any ways to improve Foundation, I am all for it.


(Tomas Jakobs) #3

Hello Joe, thank you for your quick answer. In short the requested information:

I am using Mozilla Obervatory Test (https://observatory.mozilla.org). Google’s CSP Validator Test can be found here (https://csp-evaluator.withgoogle.com). My Website is https://jakobssystems.net

It’s really just the “unsafe-inline” in script-src that matters, everything else is fine. Without this the design is broken, forms doesn’t work etc. To me it’s either Foundation or Stacks but you may have a broader approach and more information on this.


(Joe Workman) #4

So I tested a few sites on the Mozilla CSP test site… https://observatory.mozilla.org/

Here are some test results…

  • Mozilla - B (HA! Its their own tool!!!)
  • Amazon - D
  • Apple - C-
  • Google - D
  • Bank of America - F
  • Chase - D
  • PayPal - B
  • Barclays - F

As you can see from the grades above, the grade that these online testers provide really need to be taken with a grain of salt (ok, maybe a bucket of salt).


GDPR (sigh) and theme compliance
(Tomas Jakobs) #5

Joe, this comparison doesn’t bring us forward: github.com and many other popular sites have A+ so what?

As I said before, I am selling Security. A “good enough” ranking is not an option. I compare myself to first class not 2nd or 3rd. I would like to keep using Foundation. It’s the most complete framework for Rapidweaver I know. Looking forward you find a solution for “unsafe-inline”.


(Joe Workman) #6

I had found that Google tester and it had not working on any URL that I put in there. It does on yours though. It really gives no details on the inline script stuff. From a bit of reading, this test wants zero inline javascript on the page at all.

I think that the reason for this is so that it can ensure that all scripts come from a secure connection. However, if you are on an HTTPS connection, so shouldn’t the HTML page that was downloaded and contains inline script be considered secure as well? Seems like this test is a bit extreme if you ask me.

If seems that you can turn that particular test off. I am not 100% sure on that.

Does Foundation contain inline JavaScript? Yes. But so does other stacks on your page. Your analytics code on the page is also inline JS and would trigger a fail on this test as well. So again, I ask… What has changed since your site used to scored an A? Its possible that your site did not change at all, the test did.

I am all for pushing things forward. However, with my current limited knowledge of how this test functions, I am not sure that I see the benefit. Making external calls for everything that is currently inlined, would be slower page load times since each of those resources would been to be an extra HTTP request. That will be less of a concern as the newer HTTP/2 protocol becomes more mainstream.


(Joe Workman) #8

I had a look at the results for your site again. 2 days ago, you had an A+ (115/100). So I ask again… what changed?


(Jannis from inStacks Software) #9

With using OpenSource code, you use code used by hundred / thousands of others, and this code will be checked for security flaws vent more. Don’t use only hand written code.


(Joe Workman) #10

Yes. Foundation is open source. However, its only HTML/CSS/JS. There is nothing there that could be used to gain any sort of access to your server which is what a hacker would need to do in order to inject any kind of code into your webpage.


(Tomas Jakobs) #11

Off the Shelf? Well Foundation is pretty Open Source, solid and approved. And I appreciate Joe’s hard work to put everything into RW. The reason I am using RW is because I do not want to use an unknown CMS with plethora bugs like WP, Joomla and others… plain HTML/JS/CSS period.


(Tomas Jakobs) #12

Yes nothing changed at my site. Before writing here I checked and double-checked if there is something I could do first. Finally it was this “unsafe-inline” which broke everything.


(Doug Bennett) #14

Looks like the first two “unsafe-inline” errors are your analytics and your fonts:

That has nothing to do with foundations. As Joe pointed out other stacks will get this error as well, on your page you use the player stack from stacks for stacks
:


(Joe Workman) #15

So if nothing has changed on your site, then that means that the test itself was changed. I already stated my opinion on this particular test. I will take this input into account for the next version of Foundation. However, I won’t be making any changes in this area right now.


(Tomas Jakobs) #16

Alright, I have sorted it out. As suggested by @teefers and others I’ve removed the video and chaned my piwik tracking code (and adjusted Jack heights and margins). After that I could remove the unsafe-inline.

But one issue remains @joeworkman The TopMenu now doesn’t work on mobile anymore. The Hamburger Menu doesn’t open. If you could please fix this, then I could live with this.


(Joe Workman) #17

You need to allow inline javascript in your CSP headers. The inline JS defined in the Foundation theme is not being executed. Therefore, its not being executed and the Foundation JS will not execute.

Glad that you got your score back up though! :slight_smile:


(Tomas Jakobs) #18

…yes @joeworkman but the price is: Foundation TopMenu doesn’t work on mobile :frowning:


(Jannis from inStacks Software) #19

These are your response headers for https://jakobssystems.net, all referring to https://jakobssystems.de

Accept-Ranges:bytes
Access-Control-Allow-Origin:SAMEORIGIN
Cache-Control:max-age=604800, public
Connection:keep-alive, Keep-Alive
Content-Encoding:gzip
Content-Length:5848
Content-Security-Policy:frame-ancestors ‘self’; default-src ‘self’ *.jakobssystems.de; img-src ‘self’ data: analytics.jakobssystems.de; script-src ‘self’ analytics.jakobssystems.de chat.jakobssystems.de; style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com; font-src ‘self’ *.jakobssystems.de fonts.gstatic.com fonts.googleapis.com maxcdn.bootstrapcdn.com; media-src ‘self’; connect-src ‘self’ data: chat.jakobssystems.de; object-src: 'self’
Content-Type:text/html
Date:Fri, 21 Jul 2017 06:09:50 GMT
ETag:"7370-554ccb3abde00-gzip"
Keep-Alive:timeout=5, max=100
Last-Modified:Fri, 21 Jul 2017 04:57:28 GMT
Referrer-Policy:no-referrer
Server:Apache/2.4.25
Strict-Transport-Security:max-age=63072000; includeSubDomains; preload
Vary:Accept-Encoding
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block


(Tomas Jakobs) #20

Janis yes 'cause all my management tools (e.g. piwik) are hosted at my .de domain - but this is not the point. As mentioned before I’ve kicked the Video and changed my tracking to keep an A-Ranking.


(Jannis from inStacks Software) #21

That is exactly the point, because you have a numerous of JavaScript errors exactly because the defined Content-Security-Policy is not fitting to the domain.

Very easy to see in Google Chrome dev tools, which should be known to you…

Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ analytics.jakobssystems.de chat.jakobssystems.de”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-e2Zkvf5UYVFK7sHWKSkZYf0zPJdMBpUUL1nA13oFJkA=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:29 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ analytics.jakobssystems.de chat.jakobssystems.de”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-pMS7ISQ6JpNKnv9qvFBkT/0TrWYnZlkjoXE68S8UjLQ=’), or a nonce (‘nonce-…’) is required to enable inline execution.

stacks_page_page0.js:88 Uncaught ReferenceError: loadCSS is not defined
at stacks_page_page0.js:88
at stacks_page_page0.js:93
jakobssystems.net/:45 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ analytics.jakobssystems.de chat.jakobssystems.de”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-irigx0ZW8qcTrmlmV+YX8Auq3tLlt8zJakhgZ7DjDbA=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:133 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-813i06waEiG5NRkGknqRiKi6L9t4XAVXmsGJvURmCgo=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:156 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:166 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:176 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:191 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:201 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:211 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:226 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:236 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:246 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:261 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:271 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

jakobssystems.net/:281 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-Wi3+8jbn12vus9Oq4FOqEUCOpuRG3clBaVvLZZ2b9Fs=’), or a nonce (‘nonce-…’) is required to enable inline execution.

foundation.min.js:1 Uncaught ReferenceError: foundation is not defined
at foundation.min.js:1
jakobssystems.net/:376 Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ *.jakobssystems.de fonts.googleapis.com maxcdn.bootstrapcdn.com”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-ZDjCdTstFUpLDovBdF6MXbSPB35alPr6sy4CYtyHSA4=’), or a nonce (‘nonce-…’) is required to enable inline execution.


(Anonymous Coward) #22

Hi @jakobssystems,

You have several style-src errors. Adding ‘unsafe-inline’ (as you probably know) will eliminate them, and will not hurt Observatory score. The threat level is low, and limited to styling. It’s comparatively lower than Javascript.

With respect to Javascript, ‘unsafe-inline’ is ‘unsafe-inline’, and has nothing to do with where the Javascript is originating. This is because all inline Javascript is subject to external modification, which CPS Headers intend to mitigate. This included your analytics.

If wanting to have any inline Javascript, each unique inline Javascript entry must be supplied a nonce value (base64 string) or hashed with SHA2. There are no exceptions. The assignment effectively says, “This specific script is allowed to run.”

As a RapidWeaver user, your can fix the your offending analytics Javascript and anything inline that you’ve added. However, inline content added by individual stacks or themes will be more difficult.

Your site is served over SSL. As such, I believe (and welcome correction) that, one would need to crack SSL in order exploit script-sir ‘unsafe-inline’: a MiTM attack. The risk of cracking SSL can be further mitigated by Public Key Pinning, which secures against intermediary certs. That won’t improve your score though.