Etherpad-lite: Question: What CSP headers to add to secure for etherpad

Created on 9 Dec 2016 · 7Comments · Source: ether/etherpad-lite

Hi there,
I don't really understand CSP so I fail to compose the right CSP config for my etherpad instance. Can anyone here give me an example of what it should be to keep Etherpad working but improve security on it?
I think it could improve documentation when such examples are added.
Thanks a lot.

Waiting on Testing wontfix

Source

aswen

All 7 comments

[x] Look to see which parts of https://observatory.mozilla.org/analyze/video.etherpad.com we can do in Etherpad code base w/ out damaging user experience. This will probably mean putting some stuff in settings.
[ ] Bits we can't do we should document

Note on Video.etherpad.com the results are

JohnMcLear on 8 Apr 2020

👍1

A simple npm install ep_helmet or install ep_helmet through the plugin installation UI will get you a B rating on Observatory. https://observatory.mozilla.org/analyze/video.etherpad.com

The scope of the issue was "what CSP headers" but I did go off on a bit of a tangent and decided to cover a lot more of the header related exploits available to attackers. This gives admin a "one click" solution to increase security.

This doesn't "fix" the question of the correct CSP headers yet. CSP in general is a bitch to implement in Etherpad due to there being SO MUCH inline JS. So damn much. And afaik it's dynamic so I need to take the nonce approach and that means touching a lot of files. I'm not even sure it's possible but I'm going to try spend a few more hours on it and see where I get to. It's worth the effort even if it just confirms we need to move the javascript out of the html files. Imho unsafe-eval and unsafe-inline are the 2 biggest vectors that are worth the effort addressing.. Maybe tomorrow..

https://github.com/johnmclear/ep_helmet

JohnMcLear on 26 Apr 2020

🚀1

Okay cool and now a merge request is in for CSP and I am going to publish an updated helmet.

JohnMcLear on 27 Apr 2020

🎉1

Waiting on @muxator to review.

JohnMcLear on 1 Jul 2020

My concern with my fix btw is that plugins often use inline js so if you enable strict csp policy it will mean some of them won't work

JohnMcLear on 1 Jul 2020

I rebased today. This PR is so involved that I don't want to merge it myself.

The PR just handles nonce's, it isn't great for fixing the inlineJS issues but for the most npm install ep_helmet saves the day :)

JohnMcLear on 17 Jul 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.