[Scala 2.4.x] Page-specific CSP
140 views
Skip to first unread message
Byron Weber Becker
Apr 8, 2016, 5:21:15 PM4/8/16
to play-framework
I'm using the tinyMCE html editor in one of my pages. It breaks the Content Security Policies that I have set for the rest of my site.
But notice that the third hash in the quoted rule is identical to the hash it suggests. Any ideas why it's not accepting that hash?
in my controller, thinking that would override the headers set in the SecurityHeadersFilter. No such luck. The filter replaces any CSP headers already set. Is that the intended behaviour?
Chrome gives helpful error messages such as:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-d6YBI/E1hFs69uzv+OZr4MIn2n/N0Cs0Kkpdv306DoQ=' 'sha256-Ut79aLjs3fC5UtVv26l2r+kyv/4DhifGEM6YG3xXOyo='". Either the 'unsafe-inline' keyword, a hash ('sha256-Ut79aLjs3fC5UtVv26l2r+kyv/4DhifGEM6YG3xXOyo='), or a nonce ('nonce-...') is required to enable inline execution.
But notice that the third hash in the quoted rule is identical to the hash it suggests. Any ideas why it's not accepting that hash?
As a workaround, I tried returning
Ok(EditNoteView(uwid, noteid, filledForm))
.withHeaders(CONTENT_SECURITY_POLICY_HEADER → "default-src 'self' 'unsafe-inline'")
in my controller, thinking that would override the headers set in the SecurityHeadersFilter. No such luck. The filter replaces any CSP headers already set. Is that the intended behaviour?
For the moment, I'm busy writing my own security headers filter. But I figure there should be a better/easier way. Suggestions welcome.
Greg Methvin
Apr 8, 2016, 9:30:41 PM4/8/16
to play-framework
Hi Byron,
In the filter the headers are applied to the result after your action executes, so it would override anything that already exists. I think maybe it should avoid setting the headers if they're already set, to allow the use case you're talking about. Perhaps whether it does that should be configurable as well. If you want you could create an issue on github for this.
If you're writing a custom filter, you could still reuse the SecurityHeadersConfig (so configuration still works normally) and simply bind your own SecurityHeadersFilter that does what you want.
We'd welcome pull requests to improve the filter as well.
Regards,
Greg
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/717fca37-1b03-4da4-bb70-ca3308dce299%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Byron Weber Becker
Apr 9, 2016, 3:14:15 PM4/9/16
to play-framework
Greg -- Thanks for the feedback. I've created an issue (https://github.com/playframework/playframework/issues/6011). I'm happy to work on a pull request but have a question regarding the approach. Can you please take a look at the issue and respond, particularly to the last question?
Reply all
Reply to author
Forward
0 new messages