fmaury/seirdy.one
1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-09-19 20:02:10 +00:00
Code Issues Projects Releases Wiki Activity

New page: CSP bug reproduction

Browse source 
Should help me file bug reports when things get broken by my site.
This commit is contained in:
Rohan Kumar 2022-11-10 18:04:00 -07:00
parent 861f421724
commit 31aa78fef4
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479
1 changed files with 109 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

109
content/meta/csp-bug-reproduction.md Normal file
View file

@ -0,0 +1,109 @@
---
outputs:
- html
title: "CSP bug reproduction"
date: "2022-11-10T18:05:00-08:00"
description: "A demonstration page to help diagnose Content-Security-Policy issues in browser software."
---
If you're on this page, chances are you followed a link from a Content-Security-Policy (<abbr>CSP</abbr>)-related bug report. This page should help diagnose the offending part of the <abbr>CSP</abbr>.
I made this page because [I noticed my site breaking browser software]({{<relref "/notes/things-my-site-breaks.md">}}), and wanted to fix said software.
What this page demonstrates
---------------------------
This is a test page that demonstrates the following Content-Security-Policy (<abbr>CSP</abbr>):
```
default-src 'none' 'report-sample';img-src 'self';style-src 'sha256-7cS8Hu9ov7dRhfioeeb9J8mtB9/iLLpVIZsMM+BJUcs=' 'report-sample';frame-ancestors 'none';base-uri 'none';form-action https://seirdy.one/webmentions/receive https://seirdy.one/search/;manifest-src 'self';sandbox allow-same-origin allow-scripts allow-forms;report-uri https://collector.seirdy.one;connect-src https://collector.seirdy.one
```
Here's a multi-line version, to reduce horizontal scrolling:
```
default-src 'none' 'report-sample';
img-src 'self';
style-src 'sha256-HASH' 'report-sample';
frame-ancestors 'none';
base-uri 'none';
form-action https://seirdy.one/webmentions/receive https://seirdy.one/search/;
manifest-src 'self';
sandbox allow-same-origin allow-scripts allow-forms;
report-uri https://collector.seirdy.one;
connect-src https://collector.seirdy.one
```
How to use this page
--------------------
All pages on my site contain a strict <abbr>CSP</abbr>. Most pages on my site have a <abbr>CSP</abbr> containing a `sandbox` directive that does **not** specify the `allow-scripts` parameter. Here's the CSP for most of my other pages, such as my homepage:
```
default-src 'none';
img-src 'self';
style-src 'sha256-HASH';
frame-ancestors 'none';
base-uri 'none';
form-action https://seirdy.one/webmentions/receive https://seirdy.one/search/;
manifest-src 'self';
upgrade-insecure-requests;
sandbox allow-same-origin allow-forms
```
This page has a <abbr>CSP</abbr> that differs in three ways:
- It includes a reporting endpoint
- It specifies an `allow-scripts` parameter on its `sandbox` directive
- It removes `upgrade-insecure-requests`.[^1]
Additionally, I have a 404 page that includes a blank `sandbox` directive (i.e., it has no parameters such as `allow-same-origin`).
Some browser software breaks upon encountering strict <abbr>CSPs</abbr>. It's difficult to pinpoint whether the offending CSP directive is a fetch directive (`default-src`, `script-src`, `style-src`, etc.), or if it's the `sandbox` directive without `allow-scripts`.
Try reproducing the bug on the following pages:
1. [This page's canonical location](https://seirdy.one/meta/csp-bug-reproduction/)
2. [My homepage](https://seirdy.one/)
3. <a href="https://seirdy.one/sample-404/" rel="nofollow">My 404 page</a>
Note the following:
- If you can reproduce the bug on all three pages: the offending directive is probably a fetch directive.
- If you can _not_ reproduce the bug on this page, but _can_ reproduce the bug on my homepage and my 404 page: the offending directive is a `sandbox` directive that blocks scripts (no `allow-scripts` present).
- If you can only reproduce the bug on my 404 page: the offending directive is `sandbox` without `allow-same-origin`.
Other places to test
--------------------
Here are some more sites with very strict <abbr>CSPs</abbr> containing `sandbox` directives:
- [meh.is](https://meh.is/)
- [sysrq.in](https://sysrq.in/en/)
- [artemislena.eu](https://artemislena.eu/)
- [mdleom.com](https://mdleom.com/)
If you feel the need to regularly test a specific CSP, I recommend using netcat. In a <abbr>UNIX</abbr>-like environment, save this to an executable file and run it:
```
#!/bin/sh
set -e -u
while true; do echo "\
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; upgrade-insecure-requests; sandbox
<!DOCTYPE html>
<html><body>poggers</body></html>\
" | nc -l 8000; done
```
You'll get a plain page with the specified CSP on port 8000. Edit as you see fit.
[^1]: I removed `upgrade-insecure-requests` so that my Tor onion service could have the same <abbr>CSP</abbr> as this page. The onion service does not support TLS: TLS on onion services is redundant, and no certificate authority offers free <samp>.onion</samp> certificates.