i can't connect to the websocket because of my CSP (Content Security Policy) - what is wrong?
Error:
ps-client-component-websocket-adapter.js:412 Refused to connect to
'wss://hostname.domain:port/jsonWebSocket' because it violates
the following Content Security Policy directive: "connect-src 'self'".
My IIS web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Cache-Control" value="no-cache" />
<!---<add name="X-Content-Security-Policy" value="default-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; object-src 'none'; child-src *;" />-->
<add name="Content-Security-Policy" value="connect-src 'self' wss://hostname.domain:port/jsonWebSocket; default-src 'self' 'unsafe-eval'; img-src * data:; object-src 'none'; child-src *;" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
</configuration>
It seems like you are missing comma in connect-src.
A bit late to the party, but as per MDN,
connect-src 'self' does not resolve to websocket schemas in all browsers, more info in this issue.
You may want to add wss to connect-src as it is done in this answer for example.
Related
I've trying some solutions to fix a CSP Wildcard directive, I'm actually using nginx add_header to protect contents in my website. I tried many aways to secure it correctly, but OWASP ZAP scanner is always getting CSP Wildcard directive
I Know probability I'm forgetting to set a import stuff on it; Anyone has any ideia how can I fix to vulnerability issue CSP Wildcard directive ?
I'll share all headers added to nginx config file:
add_header Content-Security-Policy "default-src 'self' https://my-domain.com; script-src 'report-sample' 'self'; style-src 'report-sample' 'self' https://cdn.jsdelivr.net https://fonts.googleapis.com 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-FJUTtaihJDaYMVkI25A8Y0YFELvhfzsiIgk6h+OHIMM='; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com; frame-src 'self'; img-src 'self' https://res.cloudinary.com; manifest-src 'self'; media-src 'self'; frame-ancestors https://my-domain.com; report-uri https://630f6a5f23064c2afafa6b30.endpoint.csper.io/?v=0; worker-src 'none';";
add_header 'Access-Control-Allow-Origin' 'https://my-domain.com' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection 1;
add_header Strict-Transport-Security: max-age=31536000;
add_header X-Content-Type-Options "nosniff";
add_header Expect-CT 'enforce; max-age=7776000';
add_header X-Frame-Options "ALLOW-FROM my-domain.com";
After deploying my MERN app to heroku, I get this error on the browser console. Even though I specified the correct CSP directives. This is the meta tag it renders on the browser
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://rpc-mainnet.matic.network/; img-src 'self'; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; font-src 'self' https://fonts.gstatic.com; ">
What am I doing wrong?
Is there a way to configure the Http Headers that Wildfly(10 or more) sends to the client only to configure the following:
HTTPS Strict Transport Security (HSTS)
X-XSS-Protection
X-Frame-Options
Strict-Transport-Security
Content-Security-Policy
X-Content-Type-Options
I have a configuration file(standalone.xml) where all the configurations are present. I need to add the configurations for headers here.
<subsystem xmlns="urn:jboss:domain:undertow:6.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-parameters="10000" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" predicate="not exists[%{o,Content-Security-Policy}]"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="Content-Security-Policy"/>
<filter-ref name="x-frame-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="x-content-type-options"/>
<!--filter-ref name="content-security-policy"/-->
<filter-ref name="strict-transport-security"/>
<filter-ref name="my-custom-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
<!--response-header name="content-security-policy" header-name="Content-Security-Policy" header-value="default-src https:"/-->
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
<!-- Add line below -->
<response-header name="my-custom-header" header-name="my-custom-header" header-value="my-custom-value"/>
</filters>
</subsystem>
Adding bit more information to the #merly's response.
These are some of the application best practices while setting security headers to prevent illegal attempts on modifying/reading information.
Content-Security-Policy (CSP)
This header restricts the sources from which the browser will load resources including scripts, styles and media. By permitting only trusted sources and secure HTTPS channels, this header can help prevent XSS and sniffing attacks.
For sites that only load resources from a single web application server, configure the CSP header to only allow resources from that server for all resource types. If resources are loaded from other trusted sources, create a more specific CSP header.
<filter-ref name="Content-Security-Policy"/>
<response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'"/>
X-Content-Type-Options
This header tells the browser not to infer a resource type by its content and stick to the content type advertised by the application. This can mitigate vulnarabilities such as XSS by preventing the browser from transforming non-executable content into executable content.
<filter-ref name="x-content-type-options"/>
<response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
X-Frame-Options
If this header is set then it does not allow the application to be opened in the cross domain url.
<filter-ref name="x-frame-options"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
I am working on a nodejs electron app, in my index.html I have a "Content-Security-Policy" that looks like this
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy"
content="
default-src 'self' https://*.mydomain.tld;
script-src 'self' https://*.mydomain.tld;
style-src 'self' https://*.mydomain.tld;
img-src 'self' https://*.mydomain.tld;
font-src 'self' https://*.mydomain.tld;
connect-src 'self' https://*.mydomain.tld;
media-src 'self' https://*.mydomain.tld;
object-src 'self' https://*.mydomain.tld;
child-src 'self' https://*.mydomain.tld;
frame-ancestors 'self' https://*.mydomain.tld;
frame-src 'self' https://*.mydomain.tld;
worker-src 'self' https://*.mydomain.tld;
form-action 'self' https://*.mydomain.tld;
block-all-mixed-content;
">
When I run the app it works perfectly fine all assets are loaded just fine but in the console I get the following error
Content Security Policies delivered via a element may not
contain the frame-ancestors directive. index.html: 4
I been trying to get rid of the error and looking for what maybe causing it but can't find anything, all to me appears to be correct yet I still receive the error, I also thought that the error maybe caused by the server #https://*.mydomain.tld so I tried this
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy"
content="
default-src 'self';
script-src 'self';
style-src 'self';
img-src 'self';
font-src 'self';
connect-src 'self';
media-src 'self';
object-src 'self';
child-src 'self';
frame-ancestors 'self';
frame-src 'self';
worker-src 'self';
form-action 'self';
block-all-mixed-content;
">
Which caused the exact same error, I could just ignore the error completely as the app does work correctly and the error does not seem to be causing any issues however if someone has any idea what maybe wrong I would really appreciate it.
Edit: When I removed the frame-ancestors leaving the tag looking like this
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy"
content="
default-src 'self' https://*.mydomain.tld;
script-src 'self' https://*.mydomain.tld;
style-src 'self' https://*.mydomain.tld;
img-src 'self' https://*.mydomain.tld;
font-src 'self' https://*.mydomain.tld;
connect-src 'self' https://*.mydomain.tld;
media-src 'self' https://*.mydomain.tld;
object-src 'self' https://*.mydomain.tld;
child-src 'self' https://*.mydomain.tld;
frame-src 'self' https://*.mydomain.tld;
worker-src 'self' https://*.mydomain.tld;
form-action 'self' https://*.mydomain.tld;
block-all-mixed-content;
">
The error went away, am I not supposed to add that?
Because this directive is not supported in the meta element.
Look at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors.
Only on the "response" from the server.
The Sonar test suite makes the interesting point that it should be considered bad practice to send the HTTP headers
Content-Security-Policy
X-Content-Security-Policy
X-Frame-Options
X-UA-Compatible
X-WebKit-CSP
X-XSS-Protection
when sending non-HTML resources.
I currently configure my IIS server using web.config, namely
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self' ; img-src 'self' data:; script-src 'self' cdnjs.cloudflare.com/ajax/libs/html5shiv/" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Permitted-Cross-Domain-Policies" value="none" />
<add name="X-UA-Compatible" value="IE=edge" />
<add name="X-Xss-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
But that configuration sends those headers no matter the type of the resource send.
How to make IIS selectively add those headers to the right types of files?
You can use the IIS UrlRewrite module (an IIS extension) and add a custom headers only for html resources.
Check this old question.