From 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 21 Feb 2019 16:27:32 +0100 Subject: [PATCH] BREAKING: update CSP configuration Disable it by default and add ability to specify a custom report uri --- config/default.yaml | 7 +++++-- config/production.yaml.example | 6 ++++++ server.ts | 16 +++++++++------- server/initializers/checker-after-init.ts | 6 ++++++ server/initializers/checker-before-init.ts | 1 + server/initializers/constants.ts | 6 +++++- server/middlewares/csp.ts | 10 ++++------ .../config/custom-environment-variables.yaml | 3 --- 8 files changed, 36 insertions(+), 19 deletions(-) diff --git a/config/default.yaml b/config/default.yaml index 1f6046a1b..6c339e66d 100644 --- a/config/default.yaml +++ b/config/default.yaml @@ -96,6 +96,11 @@ redundancy: # strategy: 'recently-added' # Cache recently added videos # min_views: 10 # Having at least x views +csp: + enabled: false + report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! + report_uri: + cache: previews: size: 500 # Max number of previews you want to cache @@ -182,8 +187,6 @@ instance: "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" services: - # You can provide a reporting endpoint for Content Security Policy violations - csp-logger: # Cards configuration to format video in Twitter twitter: username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published diff --git a/config/production.yaml.example b/config/production.yaml.example index ae8fb2d51..c227d5fcc 100644 --- a/config/production.yaml.example +++ b/config/production.yaml.example @@ -97,6 +97,12 @@ redundancy: # strategy: 'recently-added' # Cache recently added videos # min_views: 10 # Having at least x views +csp: + enabled: false + report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! + report_uri: + + ############################################################################### # # From this point, all the following keys can be overridden by the web interface diff --git a/server.ts b/server.ts index b50151859..c450d5b6e 100644 --- a/server.ts +++ b/server.ts @@ -55,13 +55,15 @@ app.set('trust proxy', CONFIG.TRUST_PROXY) // Security middleware import { baseCSP } from './server/middlewares' -app.use(baseCSP) -app.use(helmet({ - frameguard: { - action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts - }, - hsts: false -})) +if (CONFIG.CSP.ENABLED) { + app.use(baseCSP) + app.use(helmet({ + frameguard: { + action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts + }, + hsts: false + })) +} // ----------- Database ----------- diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts index 955d55206..53124f9ec 100644 --- a/server/initializers/checker-after-init.ts +++ b/server/initializers/checker-after-init.ts @@ -34,6 +34,12 @@ async function checkActivityPubUrls () { // Return an error message, or null if everything is okay function checkConfig () { + // Moved configuration keys + if (config.has('services.csp-logger')) { + logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.') + } + + // Email verification if (!Emailer.isEnabled()) { if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) { return 'Emailer is disabled but you require signup email verification.' diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index 230fdd356..2567d957b 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts @@ -15,6 +15,7 @@ function checkMissedConfig () { 'storage.redundancy', 'storage.tmp', 'storage.playlists', 'log.level', 'user.video_quota', 'user.video_quota_daily', + 'csp.enabled', 'csp.report_only', 'csp.report_uri', 'cache.previews.size', 'admin.email', 'contact_form.enabled', 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 0ede45620..0d9a6a512 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts @@ -229,6 +229,11 @@ const CONFIG = { STRATEGIES: buildVideosRedundancy(config.get('redundancy.videos.strategies')) } }, + CSP: { + ENABLED: config.get('csp.enabled'), + REPORT_ONLY: config.get('csp.report_only'), + REPORT_URI: config.get('csp.report_uri') + }, ADMIN: { get EMAIL () { return config.get('admin.email') } }, @@ -300,7 +305,6 @@ const CONFIG = { get SECURITYTXT_CONTACT () { return config.get('admin.email') } }, SERVICES: { - get 'CSP-LOGGER' () { return config.get('services.csp-logger') }, TWITTER: { get USERNAME () { return config.get('services.twitter.username') }, get WHITELISTED () { return config.get('services.twitter.whitelisted') } diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts index 5fa9d1ab5..404e33b43 100644 --- a/server/middlewares/csp.ts +++ b/server/middlewares/csp.ts @@ -18,22 +18,20 @@ const baseDirectives = Object.assign({}, frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src }, - CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {}, + CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {}, CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {} ) const baseCSP = helmet.contentSecurityPolicy({ directives: baseDirectives, browserSniff: false, - reportOnly: true + reportOnly: CONFIG.CSP.REPORT_ONLY }) const embedCSP = helmet.contentSecurityPolicy({ - directives: Object.assign(baseDirectives, { - frameAncestors: ['*'] - }), + directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }), browserSniff: false, // assumes a modern browser, but allows CDN in front - reportOnly: true + reportOnly: CONFIG.CSP.REPORT_ONLY }) // --------------------------------------------------------------------------- diff --git a/support/docker/production/config/custom-environment-variables.yaml b/support/docker/production/config/custom-environment-variables.yaml index 8604939aa..bd4ac1215 100644 --- a/support/docker/production/config/custom-environment-variables.yaml +++ b/support/docker/production/config/custom-environment-variables.yaml @@ -111,6 +111,3 @@ instance: name: "PEERTUBE_INSTANCE_NAME" description: "PEERTUBE_INSTANCE_DESCRIPTION" terms: "PEERTUBE_INSTANCE_TERMS" - -services: - csp-logger: "PEERTUBE_SERVICES_CSPLOGGER" -- 2.25.1