From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Dominik Csapak <d.csapak@proxmox.com>, pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v2] fix #3734: scrub 'url' from style tags/attributes
Date: Fri, 26 Nov 2021 08:28:41 +0100 [thread overview]
Message-ID: <850e6a4c-b370-614e-6b2a-819a06d9fbb8@proxmox.com> (raw)
In-Reply-To: <20211125141441.1383250-1-d.csapak@proxmox.com>
On 25.11.21 15:14, Dominik Csapak wrote:
> if 'view images' for the quarantine is disabled, it is expected that
> *no* images will be loaded. but in addition to img (src/href/etc.)
> also css can load external images via the 'url' directive
>
> since html scrubber does not parse/iterate over css, we simply remove
> the url+protocol part of those tags/attributes. this technically leaves behind
> invalid css, but the browsers should cope with that.
> (we cannot 'cleanly' remove without much more effort because of quoting)
>
> also we have to scrub the style tags in 'dump_html' since HTML::Scrubber
> does not have a way to modify the *content* of a tag, only the
> attributes...
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> changes from v1:
> * replace url with ___ and protocol:// with _ instead of removing
> * move sub out and use the reference
> * always pass $cid_hash and only use it in the function when
> $view_images is set
> * improve comment to show what 'dump_html' does
>
> @thomas: a note to our off-list discussion regarding url-encoding the
> protocol: you *could* do it, but the browser does not recognize it as
> a protocol and interprets it as a relative url, so we're safe on
> this regard
>
Another option: Setting the content security policy:
For this call we could use:
$resp->header("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline';");
Maybe even;
"Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline';"
That works out quite well here.
In the long run the CSP is something we could evaluate in general, at least for API
calls, as only (mostly?) those contain dynamic, sometimes user/foreign controlled input.
If we would like to set a CSP for everything we'd need something like:
$resp->header("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;");
to cover it, and ideally switch from 'unsafe-inline' to nonce/sha approach of
whitelisting, but in any case, nothing that we'd want to rush out now.
Also, doing both is an option, avoiding requests in the first place, so no scary
errors in the browser console, and the CSP, for really just this the *quarantine/content
API call, as safety net..
next prev parent reply other threads:[~2021-11-26 7:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-25 14:14 Dominik Csapak
2021-11-25 17:26 ` Thomas Lamprecht
2021-11-26 7:28 ` Thomas Lamprecht [this message]
2021-11-26 7:51 ` Dominik Csapak
2021-11-26 9:07 ` [pmg-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=850e6a4c-b370-614e-6b2a-819a06d9fbb8@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox