Investigate CSP violations
Categories
(Tree Management :: Treeherder: Infrastructure, defect)
Tracking
(Not tracked)
People
(Reporter: armenzg, Unassigned)
Details
Attachments
(2 files)
I see a lot of them:
May 08 18:40:45 treeherder-prod app/web.1 [2020-05-08 18:40:45,431] WARNING [treeherder.webapp.api.csp_report:31] CSP violation: {'blocked-uri': 'data', 'document-uri': 'https://treeherder.mozilla.org/', 'original-policy': "default-src 'none'; script-src 'self' 'unsafe-eval' 'report-sample'; style-src 'self' 'unsafe-inline' 'report-sample' https://fonts.googleapis.com https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' https://community-tc.services.mozilla.com https://firefox-ci-tc.services.mozilla.com https://.taskcluster-artifacts.net https://taskcluster-artifacts.net https://treestatus.mozilla-releng.net https://bugzilla.mozilla.org https://auth.mozilla.auth0.com https://stage.taskcluster.nonprod.cloudops.mozgcp.net/ https://artifacts.tcstage.mozaws.net/ https://.artifacts.tcstage.mozaws.net/ https://insights-api.newrelic.com; frame-src 'self' https://auth.mozilla.auth0.com; report-uri https://treeherder.mozilla.org/api/csp-report/", 'referrer': '', 'violated-directive': 'font-src'}
Reporter | ||
Comment 1•4 years ago
|
||
Reporter | ||
Comment 2•4 years ago
|
||
Hi Sarah,
From the output how can you determine what needs to be whitelisted?
Comment 3•4 years ago
|
||
Formatted this so it's a little easier to read:
{
"blocked-uri":"data",
"document-uri":"https://treeherder.mozilla.org/",
"original-policy":"default-src 'none'; script-src 'self' 'unsafe-eval' 'report-sample';
style-src 'self' 'unsafe-inline' 'report-sample' https://fonts.googleapis.com https://stackpath.bootstrapcdn.com/bootstrap/4.4./css/bootstrap.min.css;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data:;
connect-src 'self' https://community-tc.services.mozilla.com https://firefox-ci-tc.services.mozilla.com https://.taskcluster-artifacts.net https://taskcluster-artifacts.net https://treestatus.mozilla-releng.net https://bugzilla.mozilla.org https://auth.mozilla.auth0.com https://stage.taskcluster.nonprod.cloudops.mozgcp.net/ https://artifacts.tcstage.mozaws.net/ https://.artifacts.tcstage.mozaws.net/ https://insights-api.newrelic.com; frame-src 'self' https://auth.mozilla.auth0.com; report-uri https://treeherder.mozilla.org/api/csp-report/",
"referrer":"",
"violated-directive":"font-src"
}
I'm not terribly familiar with CSP's so I looked into it a bit more. I think the blocked-uri: data
is referring to data urls. But I don't think we want to add to allow data:
for the font-src, since it could have security implications.
Also the https://fonts.gstatic.com
can be removed. Navigating to that in the browser returns a 404.
So it seems we'll get violations logged and I think we only need to be concerned about them if it's something we actually should whitelist (versus someone trying to do something they shouldn't that's been blocked) and if that's the case then you can clearly see when its breaking the UI. Is that correct camd? I think Ed was the one who set this up.
Comment 4•4 years ago
|
||
I see a note in the middleware.py file that explains why img-src
allows data urls: "The data:
is required for images that were inlined by webpack's url-loader (as an optimisation)"
https://github.com/mozilla/treeherder/blob/master/treeherder/middleware.py#L20
So that might be something to look into - if it pertains to fonts also.
Comment 5•4 years ago
|
||
I don't know this area too well myself, I must admit. But after reading the MDN CSP page, I'm inclined to agree with Sarah on this.
Reporter | ||
Comment 6•4 years ago
•
|
||
There's some info in this commit:
https://github.com/mozilla/treeherder/commit/5b7209be2914fd1b1f5a3e5125b33c7b6d06b701
I think Ed wanted warnings + reporting to New Relic.
I've found this:
https://insights.newrelic.com/accounts/677903/explorer/events?eventType=CSP%20violation&duration=604800000&facet=referrer
There's 18.7k font CSP violations in the last 7 days.
I see "shortcut icon" using "data:"; is that related?
What is the actual violation happening? I don't understand very well what's happening.
In case we need help April King works for us.
I saw this add-on recommended (not that I understand it):
https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
Not sure if we actually block anything:
Once this has been deployed to production, and we're happy that the policy is not too strict (ie blocking things we shouldn't be), we can switch it to being a full CSP header and not the report-only version, so it actually starts taking effect.
Reporter | ||
Comment 7•4 years ago
|
||
This screenshot shows that something happened on May 10 that brought about this explotion of CSP violations.
This is a link to a more narrow window:
https://insights.newrelic.com/accounts/677903/explorer/events?eventType=CSP%20violation&duration=88200000&facet=referrer&end_time=1589210160000
Description
•