Contrib.social

The base-uri policy is missing

Open on Drupal.org β†’
Created on 3 December 2019, almost 5 years ago
Updated 22 February 2023, over 1 year ago

The base-uri policy is missing at Seckit. Considering the module is exclusively security related, the missing base-uri could be understood as a bug because an attacker could potentially insert a tag, which would prepend an untrusted external domain to all script relative paths.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi...

If someone is missing that base-uri policy, I explained at https://www.drupal.org/project/seckit/issues/3052779#comment-13376415 β†’ the code to append extra policies to the ones generated by Seckit meanwhile a more flexible version of Seckit appears.

πŸ› Bug report
Status

Needs review

Version

2.0

Component

Code

Created by

πŸ‡§πŸ‡ͺBelgium cubeinspire

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡ΈπŸ‡ͺSweden Kleve

    Patch 3098417-26.patch is partly rejected in current stable release 2.0.1. Looks like rejected code is in /tests/src/Functional/SecKitTestCaseTest.php

    Do we have a working patch for 2.0.1?

    Rejected code

    --- tests/src/Functional/SecKitTestCaseTest.php
+++ tests/src/Functional/SecKitTestCaseTest.php
@@ -97,11 +97,12 @@ class SecKitTestCaseTest extends BrowserTestBase {
       'seckit_xss[csp][child-src]' => '*',
       'seckit_xss[csp][font-src]' => '*',
       'seckit_xss[csp][connect-src]' => '*',
+      'seckit_xss[csp][base-uri]' => '*',
       'seckit_xss[csp][report-uri]' => $this->reportPath,
       'seckit_xss[csp][upgrade-req]' => TRUE,
     ];
     $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
-    $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; report-uri ' . base_path() . $this->reportPath . '; upgrade-insecure-requests';
+    $expected = "default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; base-uri *; report-uri " . base_path() . $this->reportPath . '; upgrade-insecure-requests';
     $this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-WebKit-CSP', $expected);
@@ -126,11 +127,12 @@ class SecKitTestCaseTest extends BrowserTestBase {
       'seckit_xss[csp][child-src]' => '*',
       'seckit_xss[csp][font-src]' => '*',
       'seckit_xss[csp][connect-src]' => '*',
+      'seckit_xss[csp][base-uri]' => '*',
       'seckit_xss[csp][report-uri]' => $this->reportPath,
       'seckit_xss[csp][upgrade-req]' => TRUE,
     ];
     $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
-    $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; report-uri ' . base_path() . $this->reportPath . '; upgrade-insecure-requests';
+    $expected = "default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; base-uri *; report-uri " . base_path() . $this->reportPath . '; upgrade-insecure-requests';
     $this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-Content-Security-Policy', NULL);
     $this->assertSession()->responseHeaderEquals('X-WebKit-CSP', NULL);
@@ -155,11 +157,12 @@ class SecKitTestCaseTest extends BrowserTestBase {
       'seckit_xss[csp][child-src]' => '*',
       'seckit_xss[csp][font-src]' => '*',
       'seckit_xss[csp][connect-src]' => '*',
+      'seckit_xss[csp][base-uri]' => '*',
       'seckit_xss[csp][report-uri]' => $this->reportPath,
       'seckit_xss[csp][upgrade-req]' => TRUE,
     ];
     $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
-    $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; report-uri ' . base_path() . $this->reportPath . '; upgrade-insecure-requests';
+    $expected = "default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; base-uri *; report-uri " . base_path() . $this->reportPath . '; upgrade-insecure-requests';
     $this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-WebKit-CSP', NULL);
@@ -184,11 +187,12 @@ class SecKitTestCaseTest extends BrowserTestBase {
       'seckit_xss[csp][child-src]' => '*',
       'seckit_xss[csp][font-src]' => '*',
       'seckit_xss[csp][connect-src]' => '*',
+      'seckit_xss[csp][base-uri]' => '*',
       'seckit_xss[csp][report-uri]' => $this->reportPath,
       'seckit_xss[csp][upgrade-req]' => TRUE,
     ];
     $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
-    $expected = 'default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; report-uri ' . base_path() . $this->reportPath . '; upgrade-insecure-requests';
+    $expected = "default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; frame-ancestors *; child-src *; font-src *; connect-src *; base-uri *; report-uri " . base_path() . $this->reportPath . '; upgrade-insecure-requests';
     $this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-Content-Security-Policy', NULL);
     $this->assertSession()->responseHeaderEquals('X-WebKit-CSP', $expected);
@@ -247,12 +252,13 @@ class SecKitTestCaseTest extends BrowserTestBase {
       'seckit_xss[csp][child-src]' => '',
       'seckit_xss[csp][font-src]' => '',
       'seckit_xss[csp][connect-src]' => '',
+      'seckit_xss[csp][base-uri]' => "'self'",
       'seckit_xss[csp][report-uri]' => $this->reportPath,
       'seckit_xss[csp][upgrade-req]' => FALSE,
       'seckit_xss[csp][policy-uri]' => '',
     ];
     $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
-    $expected = "default-src self; report-uri " . base_path() . $this->reportPath;
+    $expected = "default-src self; base-uri 'self'; report-uri " . base_path() . $this->reportPath;
     $this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-Content-Security-Policy', $expected);
     $this->assertSession()->responseHeaderEquals('X-WebKit-CSP', $expected);
@@ -320,15 +326,16 @@ class SecKitTestCaseTest extends BrowserTestBase {
       $form['seckit_xss[csp][vendor-prefix][x]'] = TRUE;
       $form['seckit_xss[csp][vendor-prefix][webkit]'] = TRUE;
       $form['seckit_xss[csp][default-src]'] = 'self';
+      $form['seckit_xss[csp][base-uri]'] = "'self'";
       $form['seckit_xss[csp][report-uri]'] = $report_uri['uri'];
       $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
       if ($report_uri['valid']) {
         $base_path = ($report_uri['absolute']) ? '' : base_path();
-        $expected = 'default-src self; report-uri ' . $base_path . $report_uri['uri'];
+        $expected = "default-src self; base-uri 'self'; report-uri " . $base_path . $report_uri['uri'];
         if (!$report_uri['absolute'] && strpos($report_uri['uri'], '/') === 0) {
           // In this case, check that the leading slash on the relative path
           // was not mistakenly turned into two leading slashes.
-          $expected = 'default-src self; report-uri ' . $base_path . ltrim($report_uri['uri'], '/');
+          $expected = "default-src self; base-uri 'self'; report-uri " . $base_path . ltrim($report_uri['uri'], '/');
         }
         $this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
         $this->assertSession()->responseHeaderEquals('X-Content-Security-Policy', $expected);
  • First commit to issue fork.
  • Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 7.3 & MySQL 5.7
    last update over 1 year ago
    Not currently mergeable.
  • @the_g_bomb opened merge request.
  • Comment over 1 year ago β†’
    System Message
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 7.3 & MySQL 5.7
    last update over 1 year ago
    Composer error. Unable to continue.
  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡§United Kingdom the_g_bomb

    2.x branch in the fork isn't up to date, I think, so am uploading an updated patch instead.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 7.3 & MySQL 5.7
    last update over 1 year ago
    Composer error. Unable to continue.
  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡§United Kingdom the_g_bomb

    Found a typo and updated to include changes to the JS that Adds/removes attributes.

  • Status changed to RTBC 5 months ago
  • Comment 5 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom Alina Basarabeanu

    The patch from #35 is working on Drupal 10.2.2 and Seckit 2.0.1.

  • Comment about 2 months ago β†’
    leo liao

    For 2.0.3

  • Comment about 2 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom the_g_bomb

    Thanks @leo-liao,
    New patch applies cleanly to 2.x

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024