Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhance: CSPの導入 #9863

Draft
wants to merge 7 commits into
base: develop
Choose a base branch
from
Draft

enhance: CSPの導入 #9863

wants to merge 7 commits into from
+78 −56

Conversation

Ry0taK
Copy link
Contributor

@Ry0taK Ry0taK commented Feb 10, 2023
edited
Loading

What

  • CSPを導入するためにインラインスクリプトを使用していた箇所を全て別のファイルに切り分ける
  • インラインイベントハンドラを全て置き換える
  • Content-Security-Policyヘッダを送るようにする
  • 設定でCSPヘッダで送る内容を指定できるようにする

Why

  • XSSが存在した場合に、ある程度影響を軽減できるようにしたい

TODO

  • Captcha関連のJavaScriptを使えるように
    • できたはず
  • 他にdocument.createElementでscriptタグを生成している箇所がないか洗い出し
    • MkTagCloud: /client-assets/tagcanvas.min.jsを読み込んでいるだけなので問題無さそうに見える
  • 他にインラインイベントハンドラを使っている箇所がないか確認
    • [^\w\-/]on\w+=で探したが無さそう
  • report-onlyで一通り機能を使ってみて何か発生するか確認
    • test.patchを適用
    • ノートの投稿
    • Renote
    • 引用
    • リプライ
    • YouTubeの埋め込み
    • URLのプレビュー
    • ローカルタイムラインの表示
    • ホームタイムラインの表示
    • ソーシャルタイムラインの表示
    • 各種MFM
    • ウィジェット
      • プロフィール
      • インスタンス情報
      • クリッカー
      • ユーザーリスト
      • AiScript App
      • AiScriptコンソール
      • ボタン
      • ジョブキュー
      • オンラインユーザー
      • サーバーメトリクス
      • スライドショー
      • 投稿フォーム
      • インスタンスクラウド
      • 連合
      • UNIX時計
      • デジタル時計
      • フォト
      • アクティビティ
      • 時計
      • トレンド
      • RSSティッカー
      • RSSリーダー
      • カレンダー
      • タイムライン
      • 通知
      • 付箋
    • グローバルタイムライン
    • 通知
      • 全て
      • 未読
      • あなた宛て
      • ダイレクト投稿
    • ノートお気に入り
    • お気に入りタブ
    • ファイルアップロード
    • 画像添付ノート
    • アンケート添付ノート
    • 注釈付きノート
    • メンション付きノート
    • 絵文字を入れたノート
    • 動画添付ノート
    • ドライブタブ
      • 名前を変更
      • 閲覧注意にする
      • キャプションを付ける
      • URLをコピー
      • ダウンロード
      • 削除
    • 見つけるタブ
      • ハイライト
        • ノート
        • アンケート
      • ユーザー
        • ローカル
        • リモート
      • 検索
        • 全て
        • ローカル
        • リモート
    • お知らせタブ
      • 画像付き
      • わかったボタン
    • 検索タブ
    • UI切り替え
      • デフォルト
      • デッキ
        • カラムの追加
          • メイン
          • ウィジェット
          • 通知
          • タイムライン
          • アンテナ
          • リスト
          • チャンネル
          • あなた宛て
          • ダイレクト
      • クラシック
    • コントロールパネル
      • ダッシュボード
      • 照会
      • ユーザー
      • ノート (TODOと出る)
      • ファイル (TODOと出る)
      • インスタンス (TODOと出る)
      • ユーザー
        • 照会
        • ユーザーを追加
      • ロール
        • ロールの作成
        • ベースロール
        • ユーザーアサイン/解除
        • 編集
        • 削除
        • ベースロール
          • トグルボタン
          • スクロールバー
          • 数値
        • カスタム絵文字
          • ファイルをアップロード
          • ファイルをドライブから選択
          • URLから
          • エクスポート
          • インポート
          • リモート
        • 連合
        • ジョブキュー
        • ファイル
        • お知らせ
        • 広告
        • 通報
        • 全般
        • メールサーバー
        • オブジェクトストレージ
        • セキュリティ
          • Botプロテクション
            • hCaptchaプレビュー
            • reCAPTCHAプレビュー
            • Turnstileプレビュー
          • センシティブなメディアの検出
          • Active Email Validation
          • Log IP address
          • Summaly Proxy
        • リレー
        • インスタンスブロック
        • プロキシアカウント
        • データベース
      • チャット
        • メッセージ送信
        • 画像送信
      • リスト
        • 作成
        • ユーザー追加
        • 名前を変更
        • 削除
      • アンテナ
        • 作成
        • 更新
        • 削除
      • ページ
        • ページ設定
          • 作成
          • アイキャッチ画像
        • コンテンツ
          • テキスト
          • セクション
          • 画像
          • ノート埋め込み
        • ページ表示
        • Misskey Play
          • 人気
          • 自分のPlay
          • いいねしたPlay
          • 作成
          • 実行
        • ギャラリー
          • ギャラリー
          • いいねした投稿
          • 自分の投稿
          • 投稿作成
          • 編集
          • 削除
          • 共有
          • ノート
        • クリップ
          • 作成
          • 削除
        • チャンネル
          • トレンド
          • フォロー中
          • 管理中
        • 実績
        • リロードボタン
      • 設定
        • プロフィール
        • プライバシー
        • リアクション
        • ドライブ
        • 通知
        • メール
        • セキュリティ
        • 全般
          • カスタムCSS
          • デッキ
        • テーマ
        • ナビゲーションバー
        • ステータスバー
        • プラグイン
        • インポートとエクスポート
        • インスタンスミュート
        • ミュートとブロック
        • ワードミュート
        • API
          • API console
        • Webhook
        • その他
          • アカウント情報
          • レジストリ
        • 設定のバックアップ
        • キャッシュをクリア
        • ログアウト
    • cli
    • flush
  • テスト結果
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/explore","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/announcements","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/announcements","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/search?q=test","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/emojis","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/emojis","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/emojis","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/abuses","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/@test2","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/relays","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/other-settings","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/my/messaging","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/test2","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/@test2","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/@test2","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/pages/new","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/gallery/9b3czu4smz","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/admin/abuses","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/my/achievements","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/custom-css","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/theme","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/navbar","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/theme","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/statusbar","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/preferences-backups","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/preferences-backups","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}
{"csp-report":{"document-uri":"http://localhost:3000/settings/preferences-backups","referrer":"http://localhost:3000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self' https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; base-uri 'self'; object-src 'self'; report-uri /csp-testing","disposition":"report","blocked-uri":"eval","line-number":10660,"column-number":26,"source-file":"http://localhost:3000/vite/node_modules/.vite/deps/vuedraggable.js","status-code":200,"script-sample":""}}

備考

  1. hCaptchaのCSPについて: https://docs.hcaptcha.com/#content-security-policy-settings
  2. TurnstileのCSPについて: https://developers.cloudflare.com/turnstile/frequently-asked-questions/#how-does-content-security-policy-need-to-be-configured-for-turnstile
  3. reCAPTCHAのCSPについて: https://developers.google.com/recaptcha/docs/faq#im-using-content-security-policy-csp-on-my-website.-how-can-i-configure-it-to-work-with-recaptcha

テスト

  • base確認
  • note確認
  • cli確認
  • flush確認
  • reCAPTCHA v2
  • reCAPTCHA v3
  • hCaptcha
  • Turnstile
  • MkTagCloud
  • エラー発生時のリロードボタン

Additional info (optional)

Closes #9848

@github-actions github-actions bot added the packages/backend Server side specific issue/PR label Feb 10, 2023
@acid-chicken acid-chicken marked this pull request as ready for review February 10, 2023 10:13
@acid-chicken acid-chicken marked this pull request as draft February 10, 2023 10:13
@Ry0taK
やむを得ず'unsafe-eval'を追加
ece07b3 
vuedraggableが一箇所だけminify後にnew Functionを使用しているため、やむを得ず'unsafe-eval'を追加。
unsafeとついてはいるものの、eval()やFunction()等に直接ユーザー入力を渡していない限りは問題ない。
@Ry0taK
CaptchaサービスのドメインをCSPに追加
a418923
@acid-chicken
Copy link
Member

vuedraggableが一箇所だけminify後にnew Functionを使用しているため、やむを得ず'unsafe-eval'を追加。
unsafeとついてはいるものの、eval()やFunction()等に直接ユーザー入力を渡していない限りは問題ない。

メモ: globalThis の polyfill で使ってるだけっぽそうなので fork してビルドし直せば FunctionConstructor 消せそう

@Ry0taK
Copy link
Contributor Author

Ry0taK commented Feb 10, 2023

https://github.com/webpack/webpack/blob/c181294865dca01b28e6e316636fef5f2aad4eb6/lib/runtime/GlobalRuntimeModule.js#L29

これを読んだ限りではCSPが有効化されていた場合の例外処理もされていそう?なので実はunsafe-evalいらないかもしれない

@acid-chicken
Copy link
Member

これを読んだ限りではCSPが有効化されていた場合の例外処理もされていそう?なので実はunsafe-evalいらないかもしれない

多分 unsafe-eval 外しても問題ないと思います(なんなら Content-Security-PolicyContent-Security-Policy-Report-Only を一旦併用して雑に洗い出しても良いかも)

@Ry0taK
Copy link
Contributor Author

Ry0taK commented Feb 10, 2023

多分 unsafe-eval 外しても問題ないと思います(なんなら Content-Security-Policy と Content-Security-Policy-Report-Only を一旦併用して雑に洗い出しても良いかも)

明日試してみます!

@Ry0taK Ry0taK mentioned this pull request Feb 11, 2023
Closed
@Ry0taK
Copy link
Contributor Author

Ry0taK commented Feb 11, 2023
edited
Loading

misskey.ioの村上さんにお願いしてCSP関連のログをご提供いただけることになったので、一旦Content-Security-Policy-Report-Onlyのみをmisskey.ioで有効化してログを確認した上で、改めてContent-Security-Policyを有効化する方向にしようと思います!

@Ry0taK Ry0taK mentioned this pull request Feb 11, 2023
Merged
@tamaina
Copy link
Contributor

tamaina commented Apr 14, 2023

@Ry0taK Draft解除される意向はありますか?

@Ry0taK
Copy link
Contributor Author

Ry0taK commented Apr 14, 2023

@tamaina
現状忙しくて手を付けられていないんですが、TODOの部分を実装しないと一部機能が動かなくなること、実装後に追加でテストを行う必要があるため、それらが完了するまでDraftは外せない形になります (引き継いでくださる方がいらっしゃるようであればお願いしたい状態ではありますが、時間が確保でき次第作業を再開するつもりです)

@KisaragiEffective KisaragiEffective mentioned this pull request Jun 15, 2024
Open
@eternal-flame-AD eternal-flame-AD mentioned this pull request Nov 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
packages/backend Server side specific issue/PR
Projects
[実験中] 管理用
Status: Stale
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSPを導入する
3 participants
@Ry0taK @acid-chicken @tamaina