Support

Admin Tools

#33891 Content-Security-Policy an Permissions-Polic

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by jjst135 on Monday, 12 October 2020 06:52 CDT

jjst135

Hi!

When we test our sites for security headers most of the are present and set. But it seems there are some new security headers available. I am not very familiar with what this exactly does or mean. We check these settings on this free online service:

https://securityheaders.com/?q=https%3A%2F%2Fwww.inxpact.nl%2F&hide=on

The security headers that are not present on this site using Admin Tools are

  • Content-Security-Policy
  • Permissions-Policy

I do think these are not simple on/off headers but do also need you to set what resources are allowed to be loaded. For example Google Fonts or hosted libraries. Correct? 

I was just wondering if this is something that already can be addressed by Admin Tools somehow? Of maybe this might become available in Admin Tools in the future? Or do you think this is not needed?

Kind regards,
Jip

 

 

jjst135

In addition to this question I also noticed these mentions in on the headers check page:

Warnings: Referrer-Policy The "unsafe-url" value is not recommended.

Upcoming Headers: Expect-CT Expect-CT allows a site to determine if they are ready for the upcoming Chrome requirements and/or enforce their CT policy.

I believe the referrer-policy is set by Admin Tools? Any thoughts on why this check says it is not recommended?

The Expect-CT is (also) new. Again, it's not clear to me what it does or mean. I think I should dive into that some more, but maybe you guys (as experts) can let me know if this is something you are also checking out and maybe will add this header to Admin Tools?    

jjst135

Referrer-Policy The "unsafe-url" value is not recommended

I did some reading up on this and I know understand how this works and what it is for. I think I will change this setting to 'strict-origin' for most of our sites. As this will strip any path information from the referrer information.

https://scotthelme.co.uk/a-new-security-header-referrer-policy/

jjst135

Sorry about spamming my own post like this. I just read something about the Expect-CT header that might be good to know. I thought this was something new, but this was introduced in 2017 and now maybe becoming obsolete soon:

"The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021." - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

So I guess this is something we do not need to worry about. Right?

So I might have answered my questions about 'Referrer-Policy' and Expect-CT ;-) Then only the question in my original post remain. 

Again sorry for posting questions and educating myself at the same time...

 

nicholas
Akeeba Staff
Manager

Almost all Joomla 3 extensions and Joomla 3 itself will break when setting a Content-Security-Policy (CSP) header. Joomla 4 added CSP as an optional feature but be advised that most third party extensions will break. It took me over a month to revise the JS on all of our extensions to make it compatible with a strict CSP.

Since CSP requires passing a token that changes on each session to allow inline scripts and styles we cannot implement it in Admin Tools' .htaccess Maker. The content there is static. Moreover, it wouldn't be realistic to let you define exceptions in this case. The correct approach is what Joomla 4 is doing. So you won't see us implementing CSP as it'd be a duplication of an already good effort.

The Permissions Policy has similar challenges. It tells the browser which browser (HTML5) features your site needs to function. Moreover, you may restrict certain features to certain URLs only. For example, you may want to limit geolocation to a page which allows your user to submit their current location along with an urgent, location-specific support request (real world use case!). Because of its open-ended nature it makes no sense for us to implement in a UI. It is best constructed by hand and included in the bottom of the .htaccess.

Referrer policy CAN be changed in the .htaccess Maker, you just didn't do it, so the default is the unsafe option. For most sites strict-origin works fine. There are very few use cases where the Referer needs to pass the full URL to an external domain, e.g. if you are using a link tracker on a subdomain / external domain or some third party integrations. The only way to find out is to try and see.

Expect-CT is non-standard and has to do with the maximum TLS certificate lifetime being progressively reduced by browsers. You really don't have to worry about it. This is a flag header for some special use cases where a large company might sign its own certificates. Nothing that has to do with you or virtually all users of Admin Tools.

Do remember that the security headers exposed in .htaccess Maker are just those which make sense for the general population and which can be set to a static value in .htaccess. Specialty headers are not going to become .htaccess Maker options. As I said, CSP is best handled the way J4 will be handling it and the Permissions-Policy header is something you shouldn't mess with unless you know EXACTLY which browser features every single JavaScript file on your site needs. Otherwise you'll end up with inexplicable "bugs" in 3PD software which are not bugs, they are actually misconfigurations of your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

jjst135

Hi Nicholas,

Thanks for getting back to me on this with a clear reply.

For our Joomla3 sites we'll just leave the Content-Security-Policy (CSP) header for what it is and wait and see what J4 will do with this.

Permissions Policy: If I understand it correctly this would only be only benificial in certain user cases and will need to be added to the .htaccess of the sites we somehow would need this on. I have not had any use case for this as far as I know,..

Again, thanks for explaining!

 

 

 

 

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!