Announcement

#1 2020-12-07 13:01:45

piwent
Member
2020-10-24
97

Content-Security-Policy

Hello,

Following up on this comment: https://piwigo.org/forum/viewtopic.php? … 44#p178644

How does one go about ensuring that the Content-Security-Policy has script-src 'unsafe-inline'; style-src 'unsafe-inline'.

Does this go in the localconfig? Does it have to go in an .htaccess file?

I added this to .htaccess but it didn't work:

Code:

Header set Content-Security-Policy: "script-src 'unsafe-inline'; style-src 'unsafe-inline'"

If someone could be so kind as to spell it out or point me to a help article (I coudn't find anything from searching the forum) that would be marvelous. I realize this may not be something unique to piwigo, but my googlefoo isn't helping me.

Offline

 

#2 2020-12-07 14:01:04

erAck
Only trying to help
2015-09-06
1998

Re: Content-Security-Policy

First, setting the CSP header correctly is only necessary if it is set at all on your site, then anything required but missing will make the site fail at some point. If the CSP header is not set then working out details isn't necessary either. However, setting CSP is good practice and this is what I determined to get that working, put in the Piwigo directory's .htaccess:

Code:

<IfModule mod_headers.c>
    # Several elements don't work without 'unsafe-inline'.
    # Piwigo user editor doesn't work without script-src 'unsafe-eval'.
    # Piwigo theme screenshot previews in img-src.
    # Piwigo VideoJS needs font-src data: and media-src 'self'.
    Header set Content-Security-Policy " default-src 'none'; connect-src 'self'; font-src 'self' data:; img-src 'self' data: https://piwigo.org; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
</IfModule>

If you use tools/ws.htm to investigate the API (this is not necessary if you or a program simply use the API) then you'll need another entry there in its tools/.htaccess to add the JS sources (unless the Header append directive works for your Apache that could simply add them to the existing ones of the parent, it didn't for me)

Code:

<IfModule mod_headers.c>
    # Piwigo tools/ws.htm needs external scripts.
    # Header append doesn't work here, merged manually, so keep in sync with ../.htaccess
    Header set Content-Security-Policy " default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data: https://piwigo.org; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/tiptip/1.3/ https://code.jquery.com/jquery-1.9.1.min.js; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/tiptip/1.3/; frame-ancestors 'self'; base-uri 'self'; form-action 'self'"
    #Header append Content-Security-Policy "script-src https://cdn.jsdelivr.net/tiptip/1.3/ https://code.jquery.com/jquery-1.9.1.min.js; style-src https://cdn.jsdelivr.net/tiptip/1.3/"
</IfModule>

For updated Piwigo versions you may have to check which script sources it's actually pulling in and adapt.

The Firefox Laboratory addon's record mode is very helpful to obtain the used resource origins while browsing and interacting with your site.

A bunch of helpful CSP pages:
https://www.w3.org/TR/CSP2/
https://content-security-policy.com/
https://cheatsheetseries.owasp.org/chea … Sheet.html
https://developer.mozilla.org/en-US/doc … ity-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://hacks.mozilla.org/2016/02/imple … ty-policy/
https://shivering-isles.com/self-isolate-your-website
https://webcookies.org/articles/11/typi … -omissions

That being said, Piwigo not doing unsafe-inline and unsafe-eval would certainly be welcomed..


Running Piwigo at https://erack.net/gallery/

Offline

 

#3 2020-12-09 16:07:17

piwent
Member
2020-10-24
97

Re: Content-Security-Policy

Thank you!!

I still can't get it to work, but I haven't looked at all the links you gave. I'll keep trying.

Thanks!!

Offline

 

Board footer

Powered by FluxBB

github twitter newsletter Donate Piwigo.org © 2002-2024 · Contact