Content
Adjustability of Content-Security-Policy header
Added by H. P. about 3 years ago
Hello community,
The team I'm in and me are facing an issue with a, well, somewhat sophisticated enterprise network setup. The setup is this:
- OpenProject installed on a machine. With that setup: an apache, working fine, the OpenProject website is displayed fine. (The Apache seems to be part of the standard setup, so there it is, doesn't do any harm.)
- On a separate machine: a load balancer / (reverse) proxy, namely an nginx presenting all internal web applications to the public. (We do not balance loads yet, OpenProject is currently on a single machine.) It can reach OpenProject and over there, the website still is working fine. With the following exception:
- Some forms do not work, e.g. login (login still works, but you have to refresh the page) or creation and deletion of 2FA tokens.
edit: The OpenProject version seems to be "/opt/openproject/.pkgr.yml::version: 12.0.7" (since the web frontend doesn't tell easily, I did a bit of digging with the grep shovel)
The browser console straight-forwardly shows the issue: CSP prevents any (i)frame sources apart from 'self'. This actually applies to all CSP policies (well, you'll find player.vimeo.com alongside, which is funny, but not relevant to the issue).
I found no documentation as to whether and how this is adjustable. What in the end did the trick was:
# /opt/openproject/config/initializers/secure_headers.rb, line 25:
default_src = %w('self') + %w(<instance's public FQDN>) + OpenProject::Configuration.remote_storage_hosts
The second string is our insertion.
remote_storage_hosts does not sound like something you want to adjust if not the storage is on a different machine, but public traffic termination is. Yes, we did set SERVER_HOSTNAME to the public FQDN, it has no influence on the CSPs.
So either we are missing something or I'd like to report a design flaw – the latter being not only that OpenProject implies the CSP sources from some logic that can never know everything, no, it just sets 'self' and goes away.
Does anyone know how to properly adjust this instead of adjusting the codebase which on every update (which we do frequently through automation) will fall apart again and needs additional automation codebase and watching that the adjustments still work?
We already dropped a mail to support@ as late as yesterday evening (CEST), so in case something happens there, I'll drop a line or two over here :-)
Replies (1)
We were missing one step in this setup - how the web server identifies itself.
If you define the public FQDN as ServerAlias (in the web server answering on your OpenProject machine), for instance, things work out well and a CSP source of 'self' is valid.
So it's not a major design flaw, but I could imagine that the adjustability still can make sense for further interaction with other web services or whatever, so this may indeed serve as a feature request.