From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 72EA981CC1 for ; Fri, 26 Nov 2021 08:29:14 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 59FDC1560A for ; Fri, 26 Nov 2021 08:28:44 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 865C8155F9 for ; Fri, 26 Nov 2021 08:28:42 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5509144361 for ; Fri, 26 Nov 2021 08:28:42 +0100 (CET) Message-ID: <850e6a4c-b370-614e-6b2a-819a06d9fbb8@proxmox.com> Date: Fri, 26 Nov 2021 08:28:41 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Thunderbird/95.0 Content-Language: en-US To: Dominik Csapak , pmg-devel@lists.proxmox.com References: <20211125141441.1383250-1-d.csapak@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20211125141441.1383250-1-d.csapak@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 1.087 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.993 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-api v2] fix #3734: scrub 'url' from style tags/attributes X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2021 07:29:14 -0000 On 25.11.21 15:14, Dominik Csapak wrote: > if 'view images' for the quarantine is disabled, it is expected that > *no* images will be loaded. but in addition to img (src/href/etc.) > also css can load external images via the 'url' directive > > since html scrubber does not parse/iterate over css, we simply remove > the url+protocol part of those tags/attributes. this technically leaves behind > invalid css, but the browsers should cope with that. > (we cannot 'cleanly' remove without much more effort because of quoting) > > also we have to scrub the style tags in 'dump_html' since HTML::Scrubber > does not have a way to modify the *content* of a tag, only the > attributes... > > Signed-off-by: Dominik Csapak > --- > changes from v1: > * replace url with ___ and protocol:// with _ instead of removing > * move sub out and use the reference > * always pass $cid_hash and only use it in the function when > $view_images is set > * improve comment to show what 'dump_html' does > > @thomas: a note to our off-list discussion regarding url-encoding the > protocol: you *could* do it, but the browser does not recognize it as > a protocol and interprets it as a relative url, so we're safe on > this regard > Another option: Setting the content security policy: For this call we could use: $resp->header("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline';"); Maybe even; "Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline';" That works out quite well here. In the long run the CSP is something we could evaluate in general, at least for API calls, as only (mostly?) those contain dynamic, sometimes user/foreign controlled input. If we would like to set a CSP for everything we'd need something like: $resp->header("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;"); to cover it, and ideally switch from 'unsafe-inline' to nonce/sha approach of whitelisting, but in any case, nothing that we'd want to rush out now. Also, doing both is an option, avoiding requests in the first place, so no scary errors in the browser console, and the CSP, for really just this the *quarantine/content API call, as safety net..