ZAP: CSP Scanner: Wildcard Directive [10055]

NEW
Assigned to

Status

Taskcluster
Platform Libraries
2 months ago
a month ago

People

(Reporter: dustin, Assigned: dustin)

Tracking

(Blocks: 1 bug)

Details

(Assignee)

Description

2 months ago
Need to figure out what this means.  I thought we had CSP fixed (it's "default-src: 'self'") but I guess ZAP wants more.
(Assignee)

Comment 1

2 months ago
Simon, can you help?  I can't find this in a quick search of the source:
  https://github.com/zaproxy/zap-extensions/search?utf8=%E2%9C%93&q=wildcard&type=
Flags: needinfo?(sbennetts)
Yeah, this is one case where the extra info ZAP usually provides is really helpful.
However when I've tried saving the full results the scans fail due to various resource issues :/
I've just run ZAP with the alpha cspscanner (https://github.com/zaproxy/zap-extensions/tree/alpha/src/org/zaproxy/zap/extension/cspscanner) and its warned about:

Content-Security-Policy: default-src 'self'

The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: 
frame-ancestor

You didnt find that string in our source as we're using: https://github.com/shapesecurity/salvation :)
Flags: needinfo?(sbennetts)
(Assignee)

Comment 3

a month ago
So I guess the issue is that we don't specify frame-ancestor, and its default value is too broad?
Yeah, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

If you dont need to support framing you can use:

frame-ancestors 'none';
(Assignee)

Comment 5

a month ago
Ah, it looks like Express is helpfully injecting a different CSP for 404 errors..
Isnt that what you wanted? ;)
(Assignee)

Comment 7

a month ago
dustin@jemison ~ $ curl -v https://auth.taskcluster.net/v1
...
< HTTP/1.1 404 Not Found
...
< Content-Security-Policy: default-src 'self'

dustin@jemison ~ $ curl -v https://auth.taskcluster.net/
...
> 
< HTTP/1.1 302 Found
...
< Content-Security-Policy: report-uri /__cspreport__;default-src 'none';frame-ancestors 'none';
You need to log in before you can comment on or make changes to this bug.