Hi
I recently recompiled a Lift 3 app against Lift 3.0 snapshot and as the
content security stuff has started to kick in I see a lot of security
messages in both sbt logs and the browser console.
The app has some jquery (v1.11.1) and angular (v1.4.1) and bootstrap
(v3.3.5) scripts/css stuff as well as some own css and js stuff
including angular controller, factories all in its own js/css files.
Although I get allot of ContentSecurityPolicyViolation warnings in sbt
(see below for some snippets) and browse console messages the app still
works in development but *FAILS* when deployed in production (with or
without my experimental security rules settings seen below).
As I do not currently know the best way to approach the security issues
I see I firs tried to "disable" (at least that is what I thought I was
doing) some of the check by experimenting with the security rules and
adding things like the following to Boot.boot
LiftRules.securityRules = () => {
SecurityRules(content = Some(ContentSecurityPolicy(
scriptSources = List(
ContentSourceRestriction.UnsafeEval),
styleSources = List(
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.Self))))
}
to see if I could get the app working but I probably have got some
things wrong as it still wont work correctly in production mode.
I can of course do a "rollback" to a milestone (which I have done for
the production deployed version) but I would like to know a bit more
about how this security stuff works so is there any Lift specific
documentation done on this yet? or is it reading code and trying out
stuff at this point? which I obviously have failed to comprehend at this
point ;)
Is there for instance a way to white-list specific resources/resource
paths of similar ?
Below follows some log messages (dev and production mode logs)
Anny help or pointers on how to set up the security rules for my use
case is greatly appreciated.
best regards Peter Petersson
Some log messages in sbt (dev mode)
13:22:04.533 [qtp667921451-1006] WARN
n.l.h.ContentSecurityPolicyViolation - Got a content security violation
report we couldn't interpret:
'Full({"csp-report":{"document-uri":"
http://localhost:8080/","referrer":"
http://localhost:8080/","violated-directive":"default-src
'self'","effective-directive":"style-src","original-policy":"script-src
'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri
/lift/content-security-policy-report","blocked-uri":"","source-file":"
http://localhost:8080/classpath/fobo/jquery.js","line-number":5571,"column-number":20,"status-code":200}})'.
13:22:08.634 [qtp667921451-1065] WARN net.liftweb.http.LiftRules -
Content security policy violation reported on page
| '
http://localhost:8080/' from referrer '
http://localhost:8080/':
| 'self' was blocked because it violated the
| directive 'default-src
http://localhost:8080'. The policy that
specified
| this directive is: 'script-src 'unsafe-eval'
http://localhost:8080; default-src
http://localhost:8080; img-src *;
report-uri
http://localhost:8080/lift/content-security-policy-report'.
"Production mode" log
==> geronimo.log <==
:
2015-07-29 13:43:08,119 WARN [LiftRules] Content security policy
violation reported on page
| '
http://www.media4u101.se/fobo-angular-lift-roundtrips/' from
referrer '':
|
'
http://www.media4u101.se/fobo-angular-lift-roundtrips/classpath/fobo/jquery.js'
was blocked because it violated the
| directive 'script-src 'unsafe-eval''. The policy that specified
| this directive is: 'script-src 'unsafe-eval'; style-src
'unsafe-inline'
http://www.media4u101.se; default-src
http://www.media4u101.se; img-src *; report-uri
http://www.media4u101.se/fobo-angular-lift-roundtrips/lift/content-security-policy-report'.
2015-07-29 13:43:08,132 WARN [LiftRules] Content security policy
violation reported on page
| '
http://www.media4u101.se/fobo-angular-lift-roundtrips/' from
referrer '':
|
'
http://www.media4u101.se/fobo-angular-lift-roundtrips/classpath/fobo/bootstrap.js'
was blocked because it violated the
| directive 'script-src 'unsafe-eval''. The policy that specified
| this directive is: 'script-src 'unsafe-eval'; style-src
'unsafe-inline'
http://www.media4u101.se; default-src
http://www.media4u101.se; img-src *; report-uri
http://www.media4u101.se/fobo-angular-lift-roundtrips/lift/content-security-policy-report'.
2015-07-29 13:43:08,134 WARN [LiftRules] Content security policy
violation reported on page
| '
http://www.media4u101.se/fobo-angular-lift-roundtrips/' from
referrer '':
|
'
http://www.media4u101.se/fobo-angular-lift-roundtrips/classpath/fobo/angular.js'
was blocked because it violated the
| directive 'script-src 'unsafe-eval''. The policy that specified
| this directive is: 'script-src 'unsafe-eval'; style-src
'unsafe-inline'
http://www.media4u101.se; default-src
http://www.media4u101.se; img-src *; report-uri
http://www.media4u101.se/fobo-angular-lift-roundtrips/lift/content-security-policy-report'.
2015-07-29 13:43:08,101 WARN [LiftRules] Content security policy
violation reported on page
| '
http://www.media4u101.se/fobo-angular-lift-roundtrips/' from
referrer '':
|
'
https://www.youtube.com/embed/TRrL5j3MIvo?feature=player_detailpage'
was blocked because it violated the
| directive 'default-src
http://www.media4u101.se'. The policy
that specified
| this directive is: 'script-src 'unsafe-eval'; style-src
'unsafe-inline'
http://www.media4u101.se; default-src
http://www.media4u101.se; img-src *; report-uri
http://www.media4u101.se/fobo-angular-lift-roundtrips/lift/content-security-policy-report'.