Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Content Security Policy headers to all jQuery content sites #54

Open
1 task done
timmywil opened this issue Jul 4, 2024 · 15 comments · Fixed by #57 or #71
Open
1 task done

Add Content Security Policy headers to all jQuery content sites #54

timmywil opened this issue Jul 4, 2024 · 15 comments · Fixed by #57 or #71
Assignees
Labels
security Service: Blogs WordPress blogs. Service: Doc sites WordPress doc sites. Service: Miscweb Static sites and redirects.

Comments

@timmywil
Copy link
Member

timmywil commented Jul 4, 2024

Proposed header value

"default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self';"

This should be tested with a report header first

  • Set up an endpoint that can accept security reports
@timmywil timmywil self-assigned this Jul 4, 2024
@timmywil timmywil added Service: Doc sites WordPress doc sites. security Service: Blogs WordPress blogs. Service: Miscweb Static sites and redirects. labels Jul 4, 2024
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Aug 12, 2024
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Aug 20, 2024
Krinkle added a commit to jquery/typesense-minibar that referenced this issue Aug 24, 2024
Krinkle added a commit to jquery/jquery-wp-content that referenced this issue Aug 24, 2024
@timmywil
Copy link
Member Author

This also depends on jquery/jquery-wp-content#463

Also, the nginx changes are only being deployed to staging atm.

@timmywil timmywil reopened this Aug 24, 2024
@Krinkle
Copy link
Member

Krinkle commented Aug 24, 2024

@timmywil Of the three changed roles, only grunt has staging. It seems https://stage.gruntjs.com/ is now down. I guess an nginx syntax error?

@timmywil
Copy link
Member Author

After consulting the docs, I don't see anything obviously wrong with the syntax. Instead, I think the issue has to do with the grunt site's use of proxy_pass. The way to address that seems to have changed over the years, but I think moving add_header to the location block will work. Also, we can add always to the end to ensure the header is sent along even in error responses.

@Krinkle
Copy link
Member

Krinkle commented Aug 26, 2024

@timmywil That didn't seem to bring the site back. I tried logging into the droplet, to check its puppet log and nginx error, but it's not responding to SSH.

Looks like something on 22 Aug (two days before your first patch). Could it be a coincidence?

DigitalOcean control panel - gruntjs-02.ops.stage.jquery.net

@Krinkle
Copy link
Member

Krinkle commented Aug 26, 2024

I've rebooted the instance and the site is now back up. Investigation at #60 (unrelated to this).

timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Dec 6, 2024
https://demos.jquerymobile.com/1.4.5/listview-autocomplete-remote/

- script-src addition for gd.geobytes.com

https://demos.jquerymobile.com/1.5.0-rc1/map-geolocation/

- script-src, connect-src, and style-src additions for google maps

https://demos.jquerymobile.com/1.4.5/datepicker/

- script-src and style-src additions for jsdelivr assets

Ref jquery#54
@timmywil
Copy link
Member Author

timmywil commented Dec 6, 2024

Number of CSP reports is very low now. It's getting hard to find legitimate reports. The latest PR covers everything I could find from the last 24 hours. I think once that's merged, we can switch to non-report headers, but leave the logs on to watch for anything I might have missed.

timmywil added a commit that referenced this issue Dec 6, 2024
https://demos.jquerymobile.com/1.4.5/listview-autocomplete-remote/

- script-src addition for gd.geobytes.com

https://demos.jquerymobile.com/1.5.0-rc1/map-geolocation/

- script-src, connect-src, and style-src additions for google maps

https://demos.jquerymobile.com/1.4.5/datepicker/

- script-src and style-src additions for jsdelivr assets

Ref gh-54
Closes gh-70
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Dec 6, 2024
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Dec 6, 2024
@timmywil
Copy link
Member Author

timmywil commented Dec 7, 2024

Need to switch to non-report headers in jquery-wp-content as well, but first we need to test the production sites. That should be quick as I've tested all the staging sites already and the content should match. But, a few wordpress sites do not have staging equivalents (i.e. blogs).

@timmywil timmywil reopened this Dec 7, 2024
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 9, 2024
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 15, 2024
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 15, 2024
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 15, 2024
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 15, 2024
timmywil added a commit that referenced this issue Dec 15, 2024
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
Copy link
Member Author

timmywil commented Dec 15, 2024

Remaining items:

  • Test CSP on the blog sites. Headers have been deployed, but are not currently showing up. I'll need help looking into why.
  • Finish addressing any CSP violations for other wordpress sites.
  • Switch the wordpress header to enforced (non-report-only).
  • Switch the blogs header to enforced (non-report-only).

Then we can finally call this done, but continue watching logs for anything I missed.

timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 16, 2024
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 16, 2024
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment