April, thank you so much for these very valuable recommendations to improve Pontoon security! I think I have a pull request more or less ready, do you wanna have a look? https://github.com/mozilla/pontoon/pull/477
Looks great to me! All I would add is to make sure to test the staging site thoroughly before rolling out CSP. Like I said, everything seemed great to me, but I might have missed a source on some little nook of pontoon that I didn't know about. Otherwise, that's a fantastic turnaround! Nice work!
Phew, I'm actually no longer sure we can use CSP. Pontoon loads websites inside an iframe, to make them localizable "in place". They can come from any HTTPS-based URL and they can load any resource from any URL. Is it somehow possible to allow child-src (frame-src seems deprecated) for all domains?
You totally can! If you know that it's only going to be HTTPS, you can do child-src https:. Or if you need to work with both http and https, you can do child-src *. I would actually recommend replicating child-src into frame-src, for older browsers that only support CSP1. Overall, this would look like: Content-Security-Policy: default-src 'none'; child-src https:; connect-src 'self'; font-src 'self'; frame-src https:; img-src 'self' https://*.wp.com/pontoon.mozilla.org/ https://ssl.google-analytics.com https://www.gravatar.com/avatar/; script-src 'self' https://login.persona.org 'sha256-x3niK4UU+vG6EGT2NK2rwi2j/etQodJd840oRpEnqd4=' 'sha256-fDsgbzHC0sNuBdM4W91nXVccgFLwIDkl197QEca/Cl4=' https://ssl.google-analytics.com/ga.js; style-src 'self' 'unsafe-inline'
Actually if you need both http and https, it's probably best to have child-src http: https:; frame-src http: https:. That would restrict you from framing protocols other than http, if that is even possible.
Ohhh, you can do *that*! Thanks! Works! BTW, do you have any idea why does the 'Session cookie set without using the Secure flag or set over http' test on Observatory fail for pontoon.mozilla.org, but not for mozilla-pontoon-staging.herokuapp.com? It's the same codebase, the only difference is that Stage uses Heroku URL.
It's because pontoon.mozilla.org is setting a "heroku-session-affinity" cookie that the Observatory is, erroneously in this case, detecting. Either adding the Secure flag to it or enabling HSTS should fix that problem, or at least lower the penalty.
Commit pushed to master at https://github.com/mozilla/pontoon https://github.com/mozilla/pontoon/commit/246d98719c3243ce3f6a6ca729011415190d6f1b Fix bug 1308645: Improve frontend security (#477) By adding the following headers: * Strict-Transport-Security: max-age=63072000 * X-Content-Type-Options: nosniff * x-xss-protection: 1; mode=block * Content-Security-Policy
I had to temporarily revert this patch, due to an error with Persona login. You can reproduce it on Stage by tying to sign in with Persona: https://mozilla-pontoon-staging.herokuapp.com/sl/. Instead of openning the popup, nothing happens - but you'll see the CSP error in the Console. I tried to fix the issue but I can't figure out how. The 'sha256-fDsgbzHC0sNuBdM4W91nXVccgFLwIDkl197QEca/Cl4=' hash represents the Persona inline script. Unless it's not the right hash? Replacing all 'sha-256' rules with 'unsafe-inline' fixes the problem, but I'd like to avoid that. Any hints?
It will tell you the proper hash in the console. Do you use different inline scripts between staging and production? I had only gotten the hash for production.
I'm looking in the devtools (right?) console and can't find the hash. It's the same script in all environments, so I can reproduce the issue in all of them.
* actually the <script> at the bottom, rather.
Commit pushed to master at https://github.com/mozilla/pontoon https://github.com/mozilla/pontoon/commit/6886b0ed334cd39843c09c2d14e7712b10b72a6b Revert "Fix bug 1308645: Improve frontend security (#477)" This reverts commit 246d98719c3243ce3f6a6ca729011415190d6f1b.
Commit pushed to master at https://github.com/mozilla/pontoon https://github.com/mozilla/pontoon/commit/2116b2943a1e8fee096257f3802e555f48b83a51 Fix bug 1308645: Improve frontend security (#477) * Stop using JS in href attributes (Persona sign in blocked by CSP) * Fix CSP-related homepage framing issues on a local setup using HTTP