Problems with Content Security Policy HTTP headers

Hola Jose!

I am setting up HTTP security headers for my client's sites and I am running into problems with the Content Security Policy settings. Things like menus, or slideshow modules keep breaking.

At the reference site you posted a link for  scotthelme.co.uk/content-security-policy-an-introduction/ his examples are very simple.
If I use the syntax he has example of, my console says it needs the full path. In the case of Google fonts, the path is very long. And other issues appear to involve the use of local js and css files.

It looks like quite of few of the Joomla 3 templates of the sites make use of inline styles. In some cases, my console lists 25 -30 items involving scripts or css. 

Do you have any suggestions on how to go about resolving these things, more advanced resources, or comments on adding URLs. For instances, Scott doesn't include https://www.

Need help.

Hi azurelink!

I fear there is no easy way to automate this task (or at least I don't know how). What I do is to identify resources using the inspector tool of the browser, add them to the policy and test if everything goes fine. If not, I get a 403 message in the console of the inspector tool saying "ey, this resource is forbidden by the CSP policy".

A good point to start could be check what other websites have added to this policy. For this, you can use the following URL:  securityheaders.com
There are hundreds of websites there with an A grade, and clicking into them you can view the content of the policies. This will give you some help to start.

Regards,
Jose

Thanks Jose.

Yes, I've been struggling with figuring out the correct values and syntax for the various parameters for the Content Security Policy (CSP) in Joomla 3 sites. Depending on the setting, I get errors in the console for blocked scripts and it seems that with certain site templates and even extensions, inline css or js is used, which creates problems. Generally things like moo tools menus and sliders seem to break.

I work with a developer who pointed out that Joomla 4 has a HTTP Headers extension, so we (he) practiced on a Joomla 4 site and were successful. Question is, do I then need to disable SCP's http header protections?

The J4 http header plugin doesn't appear to apply the headers via htaccess, only the SCP header code is in the htaccess file. I had to comment out the SCP Content Security Policy code which broke the site. But I'm not seeing any notices of duplicate headers in tests like at securityheaders.com which has noted a duplicate HSTS header in some tests where I had HSTS enabled in Plesk, and in SCP. via htaccess. Should I remove the SCP header code from htaccess on J4 sites?

The J4 plugin does implement nonce and sha strings for the various sources noted in the CSP. I didn't do this work myself, so I don't know how my partner worked in the J4 plugin. But he said it made the process easier. The use of nonce and sha strings was needed to avoid using the unsafe-inline src type for inline sources written into the code.

Summing up... 

In my case, the majority of the sites I manage are to be migrated to J4. So I have just finished applying the headers which I can and commenting out the CSP header code pending migration to J4.If I learn enough where I can figure out how to apply CSP properly in J3, I'll do it. 

If you have anything else to add, particularly with regard to SCP and the J4 http header plugin and how they would best work together, please let me know. From my somewhat limited perspective it seems that there is redundancy.

Thanks again.
 

Hi azurelink,

I didn't know there is a plugin in J4 for this!! I have found a complete article talking about this in the Joomla maganize: magazine.joomla.org/all-issues/may-2022/...eaders-plugin-for-j4

What's more important for you, it seems there is a similar tool for J3 sites! extensions.joomla.org/extension/httpheader/ ( Info about this plugin found at magazine.joomla.org/all-issues/june-2020...rity-header-features ).

Regarding to your question about disabling SCP's http header protections, the response is "YES" if you're using any of those plugins.

Regards,
Jose

I didn't know either, until a developer who works for me told me about it. While the J4 plugin still requires you to investigate to determine the proper values to use, it does generate the nonce and adds that value to the script src directive which is the primary thing that creates an issue.