BREAKING: update CSP configuration

Disable it by default and add ability to specify a custom report uri
author: Chocobozzz <me@florianbigard.com> 2019-02-21 16:27:32 +0100
committer: Chocobozzz <me@florianbigard.com> 2019-02-21 16:28:53 +0100
commit: 539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch)
tree: 9bddd2ba539a49b3741fbd2ff3a2127e41a40268
parent: c8000975d361fae166a6ebecac5005238e14d4c9 (diff)
download: PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst
PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip
8 files changed, 36 insertions, 19 deletions
diff --git a/config/default.yaml b/config/default.yaml
index 1f6046a1b..6c339e66d 100644
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -96,6 +96,11 @@ redundancy:
 #        strategy: 'recently-added' # Cache recently added videos
 #        min_views: 10 # Having at least x views
+csp:
+  enabled: false
+  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+  report_uri:
 cache:
  previews:
    size: 500 # Max number of previews you want to cache
@@ -182,8 +187,6 @@ instance:
    "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
 services:
-  # You can provide a reporting endpoint for Content Security Policy violations
-  csp-logger:
  # Cards configuration to format video in Twitter
  twitter:
    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
diff --git a/config/production.yaml.example b/config/production.yaml.example
index ae8fb2d51..c227d5fcc 100644
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -97,6 +97,12 @@ redundancy:
 #        strategy: 'recently-added' # Cache recently added videos
 #        min_views: 10 # Having at least x views
+csp:
+  enabled: false
+  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+  report_uri:
 ###############################################################################
 #
 # From this point, all the following keys can be overridden by the web interface
diff --git a/server.ts b/server.ts
index b50151859..c450d5b6e 100644
--- a/server.ts
+++ b/server.ts
@@ -55,13 +55,15 @@ app.set('trust proxy', CONFIG.TRUST_PROXY)
 // Security middleware
 import { baseCSP } from './server/middlewares'
-app.use(baseCSP)
+if (CONFIG.CSP.ENABLED) {
-app.use(helmet({
+  app.use(baseCSP)
-  frameguard: {
+  app.use(helmet({
-    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+    frameguard: {
-  },
+      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-  hsts: false
+    },
-}))
+    hsts: false
+  }))
+}
 // ----------- Database -----------
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts
index 955d55206..53124f9ec 100644
--- a/server/initializers/checker-after-init.ts
+++ b/server/initializers/checker-after-init.ts
@@ -34,6 +34,12 @@ async function checkActivityPubUrls () {
 // Return an error message, or null if everything is okay
 function checkConfig () {
+  // Moved configuration keys
+  if (config.has('services.csp-logger')) {
+    logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.')
+  }
+  // Email verification
  if (!Emailer.isEnabled()) {
    if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
      return 'Emailer is disabled but you require signup email verification.'
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts
index 230fdd356..2567d957b 100644
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -15,6 +15,7 @@ function checkMissedConfig () {
    'storage.redundancy', 'storage.tmp', 'storage.playlists',
    'log.level',
    'user.video_quota', 'user.video_quota_daily',
+    'csp.enabled', 'csp.report_only', 'csp.report_uri',
    'cache.previews.size', 'admin.email', 'contact_form.enabled',
    'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
    'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 0ede45620..0d9a6a512 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -229,6 +229,11 @@ const CONFIG = {
      STRATEGIES: buildVideosRedundancy(config.get<any[]>('redundancy.videos.strategies'))
    }
  },
+  CSP: {
+    ENABLED: config.get<boolean>('csp.enabled'),
+    REPORT_ONLY: config.get<boolean>('csp.report_only'),
+    REPORT_URI: config.get<boolean>('csp.report_uri')
+  },
  ADMIN: {
    get EMAIL () { return config.get<string>('admin.email') }
  },
@@ -300,7 +305,6 @@ const CONFIG = {
    get SECURITYTXT_CONTACT () { return config.get<string>('admin.email') }
  },
  SERVICES: {
-    get 'CSP-LOGGER' () { return config.get<string>('services.csp-logger') },
    TWITTER: {
      get USERNAME () { return config.get<string>('services.twitter.username') },
      get WHITELISTED () { return config.get<boolean>('services.twitter.whitelisted') }
diff --git a/server/middlewares/csp.ts b/server/middlewares/csp.ts
index 5fa9d1ab5..404e33b43 100644
--- a/server/middlewares/csp.ts
+++ b/server/middlewares/csp.ts
@@ -18,22 +18,20 @@ const baseDirectives = Object.assign({},
    frameSrc: ["'self'"], // instead of deprecated child-src / self because of test-embed
    workerSrc: ["'self'", 'blob:'] // instead of deprecated child-src
  },
-  CONFIG.SERVICES['CSP-LOGGER'] ? { reportUri: CONFIG.SERVICES['CSP-LOGGER'] } : {},
+  CONFIG.CSP.REPORT_URI ? { reportUri: CONFIG.CSP.REPORT_URI } : {},
  CONFIG.WEBSERVER.SCHEME === 'https' ? { upgradeInsecureRequests: true } : {}
 )
 const baseCSP = helmet.contentSecurityPolicy({
  directives: baseDirectives,
  browserSniff: false,
-  reportOnly: true
+  reportOnly: CONFIG.CSP.REPORT_ONLY
 })
 const embedCSP = helmet.contentSecurityPolicy({
-  directives: Object.assign(baseDirectives, {
+  directives: Object.assign({}, baseDirectives, { frameAncestors: ['*'] }),
-    frameAncestors: ['*']
-  }),
  browserSniff: false, // assumes a modern browser, but allows CDN in front
-  reportOnly: true
+  reportOnly: CONFIG.CSP.REPORT_ONLY
 })
 // ---------------------------------------------------------------------------
diff --git a/support/docker/production/config/custom-environment-variables.yaml b/support/docker/production/config/custom-environment-variables.yaml
index 8604939aa..bd4ac1215 100644
--- a/support/docker/production/config/custom-environment-variables.yaml
+++ b/support/docker/production/config/custom-environment-variables.yaml
@@ -111,6 +111,3 @@ instance:
  name: "PEERTUBE_INSTANCE_NAME"
  description: "PEERTUBE_INSTANCE_DESCRIPTION"
  terms: "PEERTUBE_INSTANCE_TERMS"
-services:
-  csp-logger: "PEERTUBE_SERVICES_CSPLOGGER"
author	Chocobozzz <me@florianbigard.com>	2019-02-21 16:27:32 +0100
committer	Chocobozzz <me@florianbigard.com>	2019-02-21 16:28:53 +0100
commit	539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a (patch)
tree	9bddd2ba539a49b3741fbd2ff3a2127e41a40268
parent	c8000975d361fae166a6ebecac5005238e14d4c9 (diff)
download	PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.gz PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.tar.zst PeerTube-539d3f4faa1c1d2dbc68bb3ac0ba3549252e0f2a.zip