Lift 3.0-RC3 breaks and ignores SecurityRules settings.
44 views
Skip to first unread message
Flav Alex
Jul 24, 2016, 1:14:34 PM7/24/16
to Lift
After upgrading to Lift 3.0 RC3, having the great pleasure of seeing the website failing to load again. I'm also unable to look at the Content Security Report because there's a violation of security rules happening when the report itself is generated, which makes the website now unable to generate the report.
I really don't understand why lift ignores the settings completely. Not only that buy it fails to depict any issues in dev mode as well, which is all the more interesting, in spite of being forced to report the same issues in all modes including development. It happily likes starting on localhost:8080 with no issues whatsoever, as soon as the -Drunmode is changed, it all crashes and burns.
Not only that, but attempting to read the content security report via localhost with "http://localhost:8080/lift/content-security-policy-report" fails with "Unrecognized format for content security policy report."
In Boot.scala the rules are explicity set:
I really don't understand why lift ignores the settings completely. Not only that buy it fails to depict any issues in dev mode as well, which is all the more interesting, in spite of being forced to report the same issues in all modes including development. It happily likes starting on localhost:8080 with no issues whatsoever, as soon as the -Drunmode is changed, it all crashes and burns.
Not only that, but attempting to read the content security report via localhost with "http://localhost:8080/lift/content-security-policy-report" fails with "Unrecognized format for content security policy report."
In Boot.scala the rules are explicity set:
def securityRules: SecurityRules = {
SecurityRules(
https = None,
content = Some(ContentSecurityPolicy(
defaultSources = List(
ContentSourceRestriction.All,
ContentSourceRestriction.UnsafeEval,
ContentSourceRestriction.UnsafeInline
),
styleSources = List(
ContentSourceRestriction.Self,
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.Host("https://maxcdn.bootstrapcdn.com/bootstrap/"),
ContentSourceRestriction.Host("http://static.olark.com/css/"),
ContentSourceRestriction.Host("https://fonts.googleapis.com/css"),
ContentSourceRestriction.Host("http://cdn-images.mailchimp.com/embedcode/"),
ContentSourceRestriction.Host("http://a.disquscdn.com/next/embed/styles/")
),
fontSources = List(
ContentSourceRestriction.Self,
ContentSourceRestriction.Host("https://maxcdn.bootstrapcdn.com/bootstrap/"),
ContentSourceRestriction.Host("https://fonts.gstatic.com/"),
ContentSourceRestriction.Host("https://fonts.googleapis.com/")
),
scriptSources = List(
ContentSourceRestriction.Self,
ContentSourceRestriction.Host("http://cdn.mxpnl.com/libs/"),
ContentSourceRestriction.Host("http://www.google-analytics.com/"),
ContentSourceRestriction.Host("http://olark.com/"),
ContentSourceRestriction.Host("http://*.olark.com/"),
ContentSourceRestriction.Host("http://a.disquscdn.com/"),
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.UnsafeEval
)
)),
frameRestrictions = None,
enforceInOtherModes = false,
logInOtherModes = true,
enforceInDevMode = true
)
}
def boot(): Unit = {
LiftRules.securityRules = () => securityRules// ....}
Peter Petersson
Jul 24, 2016, 4:29:41 PM7/24/16
to lif...@googlegroups.com
Hi Alex
I am asking some questions to try help you find out what may be the issue, hopefully it will help in the end but maybe someone else have more information.
You write "It happily likes starting on localhost:8080 with no issues whatsoever" but in production "it all crashes and burns"
Is this really the case ?
I mean if you don't get any security related warning messages in console when running in development run mode the app should not fail to load in production, this is to me what you seems to imply, if this is not the case and if you have the slightest security related warning in development this is likely the reason the app fails to load/start, due to some security policy violation, the late is by design and deliberate (and should make sense).
You are also saying that "you have the pleasure of seeing the website failing to load again", so are you saying you have seen your app failing to start in production run mode before (due to some security policy issue) but after some pre RC3 release the app "as it is/was" did run in production (and dev) but after upgrading to RC3 (with no other changes) it now fail to load/start in production? and emits no console log errors/warnings what so ever when run in dev mode locally or when started in production? (except from failing to create the report, see below about that).
This post [1] (on Lift's mailing list) may address what you need to configure to be able to see the security report.
[1] https://groups.google.com/forum/m/#!topic/liftweb/WP-csyV0Vbs
best regards Peter Petersson
I am asking some questions to try help you find out what may be the issue, hopefully it will help in the end but maybe someone else have more information.
You write "It happily likes starting on localhost:8080 with no issues whatsoever" but in production "it all crashes and burns"
Is this really the case ?
I mean if you don't get any security related warning messages in console when running in development run mode the app should not fail to load in production, this is to me what you seems to imply, if this is not the case and if you have the slightest security related warning in development this is likely the reason the app fails to load/start, due to some security policy violation, the late is by design and deliberate (and should make sense).
You are also saying that "you have the pleasure of seeing the website failing to load again", so are you saying you have seen your app failing to start in production run mode before (due to some security policy issue) but after some pre RC3 release the app "as it is/was" did run in production (and dev) but after upgrading to RC3 (with no other changes) it now fail to load/start in production? and emits no console log errors/warnings what so ever when run in dev mode locally or when started in production? (except from failing to create the report, see below about that).
This post [1] (on Lift's mailing list) may address what you need to configure to be able to see the security report.
[1] https://groups.google.com/forum/m/#!topic/liftweb/WP-csyV0Vbs
best regards Peter Petersson
--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
off...@websudos.co.uk
Jul 24, 2016, 4:37:09 PM7/24/16
to Lift
Hi Peter,
I am very confident the app runs on development inside the XSBT container plugin using tomcat 8, the very same setup used to deploy to AWS Beanstalk Tomcat 8.
The server does not fail to start on AWS, I rushed to write the wrong thing, but it fails to load a whole lot of content from paths that are explicitly marked as allowed in the content security policy. I manually checked the right wildcards are in place and that the right links are there. I have experienced related issues before when upgrading from 2.6 to 3.0-M1, however those could be expected as the CSP explicit settings where required for the first time around that release.
Realistically, I don't really need a lot of investigation, as the server breaks as soon as I upgrade to Lift 3.0-RC3, package and deploy, without any change whatsoever to the security rules. The 3.0-M6 version worked as expected. The errors that are found in production are a great indication of what's going wrong, namely they seem to think all the SecurityRules in place are the default ones. None of my custom setup is visible, and once again this is somehow only happening in production mode.
The release I am using as per your GitHub repository has already merged the changes for requestJson <- request.forcedBodyAsJson that you are pointing to, I don't think those will help.
Regards.
I am very confident the app runs on development inside the XSBT container plugin using tomcat 8, the very same setup used to deploy to AWS Beanstalk Tomcat 8.
The server does not fail to start on AWS, I rushed to write the wrong thing, but it fails to load a whole lot of content from paths that are explicitly marked as allowed in the content security policy. I manually checked the right wildcards are in place and that the right links are there. I have experienced related issues before when upgrading from 2.6 to 3.0-M1, however those could be expected as the CSP explicit settings where required for the first time around that release.
Realistically, I don't really need a lot of investigation, as the server breaks as soon as I upgrade to Lift 3.0-RC3, package and deploy, without any change whatsoever to the security rules. The 3.0-M6 version worked as expected. The errors that are found in production are a great indication of what's going wrong, namely they seem to think all the SecurityRules in place are the default ones. None of my custom setup is visible, and once again this is somehow only happening in production mode.
The release I am using as per your GitHub repository has already merged the changes for requestJson <- request.forcedBodyAsJson that you are pointing to, I don't think those will help.
Regards.
Peter Petersson
Jul 25, 2016, 4:13:56 AM7/25/16
to lif...@googlegroups.com
You write "None of my custom setup is visible"
Okey so it is not the sources you specify in CSP Host setting or
any other explicit CSP related setting that fails to load but some
"custom setup" sources that fails to load. By "custom setup" I
assume you refer to some locally managed sources like css files,
script files, images and so on.
Now, If my assumption above is right and if the CSP settings is
involved in preventing your local sources to load (get available)
you should see errors in production logs (from startup of your
application) and probably also in the browser console. In
development you should see warnings on startup of your
application, if not then the CSP settings has nothing to do with
the problem you experience.
Make sure that you clear browser cash, make sure your "custom
resources" (is referenced correctly) is present in the jar/war/ear
(or deploy folder) that you deploy to production and make sure
that they are present in it's expected location(s).
best regards Peter Petersson
Reply all
Reply to author
Forward
0 new messages