IMPORTANT: Per accedir als fitxer de subversion: http://acacha.org/svn (sense password). Poc a poc s'aniran migrant els enllaços. Encara però funciona el subversion de la farga però no se sap fins quan... (usuari: prova i la paraula de pas 123456)

Content-Security-Policy són uns HTTP response headers que ajuden a mitigar els efectes dels atacs XSS en navegadors moderns. Bàsicament aquestes capçaleres indiquen via un HTTP Header quins recursos es poden carregar i quins no.

Com funciona?

La W3C Content Security Policy (aka CSP) és una funcionalitat que permet millorar la seguretat de pàgines web i que esta disponible en versions noves dels navegadors, vegeu:

http://caniuse.com/#search=CSP

En versions antigues de Android utilitzanr Crosswalk WebView

Com funciona CSP a Cordova?

El CSP per defecte que es posa a les plantilles cordova (comanda cordova create) és:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

You will need to include a tag like this on each page you navigate to at the top level (a navigation that results in a different window.location.href). With "Single Page Apps", you generally will only need to put it on index.html, but it's worth noting that you can apply completely different security rules based on your situation by modifying this policy. For example, if you have a page that is collecting sensitive data, you may wish to strongly lock down access while keeping things more open on other pages.

The only problem with the CSP is this: It's pretty confusing to read at first and its defaults can cause some behaviors web devs are not at all used to working around.

You can find a great tutorial on using the CSP in detail here, but here are some common "gotchas" for those new to the concepts:

By default, applying a CSP disables both eval() and inline script while the CSP in the Cordova CLI template (cordova create command) disables inline but allows eval().

Disabling both eval and inline script means no script tags with JavaScript in it, no "on" event handler attributes on HTML elements, no eval(), no new Function(), etc. Disabling these features effectively makes it impossible to do cross-site scripting because there is no way to inject JavaScript anywhere that does not originate from a file. If you're property managing your whitelists, you're very secure. The problem is that disabling eval() in particular can break quite a few web frameworks. As a result, the CSP in the base Cordova CLI template specifies unsafe-eval for default-src which enables JavaScript code to use eval and similar dynamic script techniques. Ex:

default-src 'self' 'unsafe-eval'; If your app and your frameworks don't need eval, remove the unsafe-eval declaration.

If you really need inline script, you can add the 'unsafe-inline' declaration. Of the two, inline script is actually a higher risk than eval since something as simple as using innerHTML without proper filtering can allow a hacker to add inline script. Inline script is very common, but if your app is security focused, you should avoid it. Note that the 'unsafe-inline' declaration in the Cordova CLI template applies to style-src which enables inline CSS declarations not JavaScript.

The default CSP policy in the Cordova CLI template only allows access to JavaScript and CSS files inside the app or the same domain, not a different domain. As a result, CDN hosted content typically cannot be referenced.

This is another technique to reduce risk by stating that a given web page can only reference content from 'self'. The end result is that cross-site scripting vulnerabilities are further reduced by preventing your web page from being hijacked to include content from an external, untrusted sources. You can loosen this restriction by listing other trusted domains. In fact, the default Cordova CLI template lists "https://ssl.gstatic.com" as a trusted domain since Android needs it for TalkBack to function properly.

default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; This above CSP policy says that content originating from the same domain ('self'), data URIs (data:), Cordova internal APIs (gap:), https://ssl.gstatic.com, and eval statments are allowed, but all others are denied.

Recursos:

Exemples

Accés script/javascript extern via HTTP

Per exemple és pot definir explicitament amb CSP quins recursos Javascript es poden executar i quins no. Suposem que tenim al nostre codi HTML codi que carrega Javascripts:

       <script type="text/javascript" src="cordova.js"></script>
        <script src="http://cdn.jsdelivr.net/vue/1.0.16/vue.js"></script>
        <script type="text/javascript" src="js/index.js"></script>
...

Per defecte sempre es permet la carrega, però podem ser explicits utilitzant un tag HTML meta Content Security Policy :

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'self' http://cdn.jsdelivr.net/vue/1.0.16/vue.js 'unsafe-eval'">

On ens interessa la part referent a scripts (script-src):

  • self': permet scripts del mateix origen com per exemple: ./js/index.js
  • La resta hem indicat explicitament quins scripts permetem: http://cdn.jsdelivr.net/vue/1.0.16/vue.js (Vue) i també
  • unsafe-eval: necessary per a vue.js "since parts of the Vue.js library code use strings to generate functions"

Accés a apis remotes (peticions Ajax)

Per exemple peticions realitzades amb Axios/vue-resource cal afegir al CSP meta tag:

; connect-src http://api.wordnik.com:80/v4/words.json/randomWord

Un exemple de com queda:

<!DOCTYPE html>
...
        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'self' http://cdn.jsdelivr.net/vue/1.0.16/vue.js https://cdn.jsdelivr.net/vue.resource/0.7.0/vue-resource.min.js 'unsafe-eval'; connect-src http://api.wordnik.com:80/v4/words.json/randomWord">
...
        <script src="http://cdn.jsdelivr.net/vue/1.0.16/vue.js"></script>
        <script src="https://cdn.jsdelivr.net/vue.resource/0.7.0/vue-resource.min.js"></script>
        <script type="text/javascript" src="js/index.js"></script>
    </body>
</html>


Recursos:

Apache Cordova

A Cordova té una rellevància especial el tema de [[CSP]. Vegeu més info a Cordova-plugin-whitelist, un dels plugins més importants de Cordova i que permet aplicar canvis de polítiques de seguretat.

Vegeu també

Enllaços externs