Koozali.org: home of the SME Server

Contribs.org Forums => Development => Topic started by: frifri on June 08, 2016, 12:40:23 PM

Title: Content-Security-Policy Template
Post by: frifri on June 08, 2016, 12:40:23 PM

Hi all,

I want to make a httpd.conf-template for enabling 'Content Security Policy' on VirtualHosts.

info :
http://content-security-policy.com/
https://securityheaders.io

This is what i tried, but it doesn't work :

Code: [Select]

{
    use esmith::AccountsDB;
    my $accounts = esmith::AccountsDB->open_ro;
    my $CSP = $accounts->get_prop($ibay, "CSP") || "";

    if ($CSP ne '')
    {
    $OUT .= "    Header set Content-Security-Policy \"$CSP\"\n";
    }
}


Title: Re: Content-Security-Policy Template
Post by: Daniel B. on June 08, 2016, 01:05:39 PM

Quote from: frifri on June 08, 2016, 12:40:23 PM

This is what i tried, but it doesn't work

Doesn't work is a bit too vague. Please give us some details (where did you wirte this custom templates, and what isn't working as expected)

Title: Re: Content-Security-Policy Template
Post by: frifri on June 08, 2016, 02:20:20 PM

Hi Daniël,

I get a lot of these :

Code: [Select]

WARNING in /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates //etc/httpd/conf/httpd.conf/80VirtualHosts line 38.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/06CSP: Use of uninitialized value $Text::Template::ERROR in concatenation (.) or string at /usr/share/perl5/vendor_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/06CSP: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/06CSP: at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38

F.

Title: Re: Content-Security-Policy Template
Post by: Daniel B. on June 08, 2016, 02:24:55 PM

$ibays is not defined globaly. Try replacing it with $virtualHostContent

Title: Re: Content-Security-Policy Template
Post by: frifri on June 08, 2016, 10:41:51 PM

Thanks Daniël !

This custom-template does what i need :

Code: [Select]

{
    use esmith::AccountsDB;
    my $accounts = esmith::AccountsDB->open_ro;
    my $ibay = $virtualHostContent;
    my $CSP = $accounts->get_prop($ibay, "CSP") || "";

    if ($CSP ne '')
    {
    $OUT .= "    # Content-Security-Policy\n";
    $OUT .= "    Header set Content-Security-Policy \"$CSP\"\n";
    }
}

F.

Title: Re: Content-Security-Policy Template
Post by: Jean-Philippe Pialasse on June 09, 2016, 08:30:32 AM

could it be of common use to add this option as the regular template ?

if so we could open a NFR against SME10 and maybe backport it to SME9

Title: Re: Content-Security-Policy Template
Post by: Stefano on June 09, 2016, 08:58:26 AM

I agree, please do, TIA

Title: Re: Content-Security-Policy Template
Post by: frifri on June 09, 2016, 08:59:16 AM

It could, but it needs more documentation.

Server-Manager needs at least CSP="default-src 'self'; script-src 'unsafe-inline'; style-src 'self' 'unsafe-inline';" ...

F.

Title: Re: Content-Security-Policy Template
Post by: Stefano on June 09, 2016, 11:00:32 AM

please, open a NFR, attach you code and add all your observations, thank you