Piwigo.org

BT · 2023-07-22 01:57:30

Hi,

Long time Piwigo user here and very grateful for the efforts to update the code and feature set.

Since last winter, I've been trying to get Piwigo running on a server that has an active content security policy (CSP). However, I'm not a programmer, nor do I have a dedicated development environment, so it has been a slow and painful slog.

The biggest task has been eliminating inline source elements in the html. This includes styles applied in tags, onclick actions, javascript code, etc. I know CSP can get ignore these with "unsafe-inline", but that pretty much defeats the purpose of CSP.

Most of the fixes have been done with template extensions and modifying a copy of the Modus theme, so as not to muck around with the core code. Unfortunately, there remains one major stumbling block: Piwigo's Administration.

There are close to twenty inline style statements on the Admin Dashboard page alone. Clicking through the different sections, it looks like there are probably hundreds more. Without disabling CSP, many site admin functions won't work until/unless these are all eliminated.

So, my request is to please keep CSP in mind as you move forward. Piwigo code and themes should have styling in .css files, javascript code in .js files, use event listeners to register user interactions, etc.

Thanks.

Environment
Piwigo 13.8.0
Installed on 15 December 2014, 8 years 7 months 6 days ago
Operating system: Darwin
PHP: 7.4.33 (Show info) [2023-07-21 23:39:21]
MySQL: 5.5.5-10.11.2-MariaDB [2023-07-21 18:39:21]
Graphics Library: External ImageMagick 7.1.1-8
Cache size 32686.31 MB   calculated right now Refresh

plg · 2023-07-25 10:01:54

Hi BT,

Some inline CSS should be easy to move in CSS files, but not all of them I'm afraid :-/

should have styling in .css files, javascript code in .js files

and when we do something like:

Code:

<!DOCTYPE html>
<html lang="..." dir="...">
<head>
...
</head>

<body id="theAdminPage">
<script type="text/javascript" src="_data/combined/19guk79.js"></script>
<script type="text/javascript">//<![CDATA[
... a lot of Javascript here...
//]]></script>

</body>
</html>

is that OK for CSP?

erAck · 2023-07-25 12:58:46

That requires script-src 'unsafe-inline', so no, not really.. that is still better than no CSP script-src at all because it disallows arbitrary external scripts, but..

Recommended readings:
https://www.w3.org/TR/CSP2/
https://content-security-policy.com/
https://cheatsheetseries.owasp.org/chea … Sheet.html
https://developer.mozilla.org/en-US/doc … ity-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://hacks.mozilla.org/2016/02/imple … ty-policy/
https://scotthelme.co.uk/content-securi … roduction/

And the Firefox Laboratory AddOn that records and assembles the currently required header values of a site:
https://addons.mozilla.org/firefox/addo … y-mozilla/

BT · 2023-07-25 18:56:32

Glad to see you're receptive to helping with CSP issues. I totally understand some changes may not be easy or a quick fix.

Fortunately (for me, at least) most CSP exceptions could be fixed by modifying template files and javascript. There are still a few quirks to figure out when I get some time to dive back into things, but basic browsing works and I can just temporarily disable CSP to do admin stuff.

With regards to your script question, using a "nonce" might work. However, I don't know if that's really a viable option, given user requirements to implement and how Piwigo is distributed and installed across a variety of environments, etc. Best in a .js file I think.

Piwigo.org

Announcement

#1 2023-07-22 01:57:30

Please eliminate in-line source elements to be more CSP friendly

#2 2023-07-25 10:01:54

Re: Please eliminate in-line source elements to be more CSP friendly

Code:

#3 2023-07-25 12:58:46

Re: Please eliminate in-line source elements to be more CSP friendly

#4 2023-07-25 18:56:32

Re: Please eliminate in-line source elements to be more CSP friendly

Board footer