Page MenuHomePhabricator

Improve RESTBase CSP headers: use 'self' instead of *, allow inline styles for sanitized content
Closed, ResolvedPublic

Description

On pages like https://rest.wikimedia.org/en.wikipedia.org/v1/page/html/User%3AMarcoil%2FTests%2FCite/648024713, Chrome refuses to render inline styles and prints the following warning in the console:

"Refused to apply inline style because it violates the following Content Security Policy directive: "style-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-Mvsp77heuEPm7zRATyUk_qLvOCN0lwgUfh8tzx_2ync='), or a nonce ('nonce-...') is required to enable inline execution."

As the error message says, we are currently setting "style-src *". The error is triggered by a simple and harmless inline style.

It sounds like one option would be to include unsafe-inline, but we should check with @csteipp if that's okay.

Event Timeline

GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added subscribers: GWicke, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 6 2015, 8:52 PM
GWicke set Security to None.
GWicke removed a subscriber: Aklapper.
GWicke added subscribers: Arlolra, ssastry.
jeremyb added a subscriber: jeremyb.Jul 6 2015, 9:02 PM
Krenair added a subscriber: Krenair.

Do we need to send browsers to rest.wikimedia.org directly? If this is just a convenience so you can view the html of a page when typically would fetch the html and present it in another context, then I would discourage it.

If you really need to do that, let's do that in a way that the services that are proxied by restbase still have style-src * (or hopefully something more restrictive in the future).

@csteipp & myself just had a quick chat about this in the office, and came up with a plan:

  • with the /api/rest_v1/ entry points we can now use 'self' instead of * for most CSP settings, which makes it more secure
  • for backend services like Parsoid where we know that styles have been sanitized to our standards, we can set style-src 'self' 'unsafe-inline', which will allow rendering of the remaining (hopefully safe) inline styles
GWicke renamed this task from Investigate CSP header interaction with inline styles to Improve RESTBase CSP headers: use 'self' instead of *, allow inline styles for sanitized content.Jul 6 2015, 10:15 PM
GWicke assigned this task to Pchelolo.
GWicke triaged this task as Normal priority.

Sounds good. Content and inline styles that we embed in production wiki output should certainly be fine to output on restbase domains as well.

ssastry moved this task from Backlog to Non-Parsoid Tasks on the Parsoid board.Jul 10 2015, 4:30 AM

The PR has been deployed, so this is ready to be closed.

Pchelolo closed this task as Resolved.Jul 31 2015, 7:09 PM
sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:17 PM