Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Will MyBB support default-src 'self' in CSP?
#5
(07-31-2019, 06:52 PM)gimbal Wrote: Thanks again - I appreciate the info you all provide about MyBB here.

Do you happen to know anything about the other MyBB security recommendations - specifically the HTTPS and Header set Content-Security-Protocol (CSP) directives?

To function with a CSP header, MyBB requires allowing default-src 'unsafe-inline' 'unsafe-eval' directives (to allow inline scripts), but apparently that basically defeats the purpose of having CSP? Just wondering if there is a roadmap to getting MyBB to comply with default-src 'self' which would be considered safer? Or, is this not really an issue?
(07-31-2019, 07:01 PM)gimbal Wrote: Google mentions that "if you must..." about typical forum software being built on inline scripts with an example that echoes what you said

https://developers.google.com/web/fundam...3_ssl_only

Apparently going forward, to be fully compliant, you can specify inline with a "nonce" or a "hash" (from the same article):

https://developers.google.com/web/fundam...st_use_it_

Yes, ideally it would be possible to disallow all inline <script>s which would mitigate complete classes of vulnerabilities.

As Euan says, there are currently hundreds of tags being included in the source code of various pages - it's possible to pass necessary data to included .js scripts, but a significant amount of such JavaScript code will require logic changes in related areas.
We'll likely start indexing all those locations and choose the best approach at some point, but it's not tied to any specific future MyBB version yet.

Meanwhile, the current Content-Security-Policy example mainly adds HTTPS-related improvements for upgrading and blocking unsecured requests. These directives should be safe to add on most MyBB installations, and similarly, depending on installed themes and plugins (what kinds of resources, and from what kinds of locations, they use), additional restrictions may be added.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply


Messages In This Thread
RE: Will MyBB support default-src 'self' in CSP? - by Devilshakerz - 07-31-2019, 07:19 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)