Security with HTTP headers (Content-Security-Policy, XSS etc)

[benjaoming]

Hi all 👋

Thanks for an amazing project 😍

I'm wondering about the following: Let's say that there is a security hole in phanpy and it's possible to sneak in a piece of JavaScript from another site. A so-called XSS vulnerability. In general, these can leave the localStorage open to attackers.

I suppose that this can leak access tokens to all logged in instances.

Would it be possible to add some protection against such attacks by disallowing specific things?

I'm thinking about HTTP headers such as the ones in this example here: https://gist.github.com/ambroisemaupate/bce4b760405558f358ae

(better examples may be found)

Does anyone have a working setup that restricts this? Or any other hints for defining one?

Cheers!

[cheeaun]

Let's say that there is a security hole in phanpy and it's possible to sneak in a piece of JavaScript from another site.

Honestly, the moment an external piece of JS is injected, nothing is safe, not just localStorage.

I suppose that this can leak API keys to all logged in instances.

There's no account-related API keys on Phanpy. The Mastodon API requires access tokens which will only work per-instance.

[benjaoming]

I've updated the description: API keys => access token

Most software eventually suffer from different kinds of security issues. Security Headers should help with some extra protection against that. For instance, we can define CSP headers for script-src, banning unsafe-eval, which can block lots of attacks.

If a page has a CSP header and 'unsafe-eval' isn't specified with the script-src directive, the following methods are blocked and won't have any effect

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

I can try to add these headers and see how it goes 👍

[benjaoming]

I'm trying to restrict things (and it seems to work), but so far the only error I see is actually also the same when I run from localhost:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://my.mastodon.server.com/system/cache/accounts/avatars/109/382/183/300/429/586/original/12341234144243.jpeg. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

It seems like things are being blocked (by Firefox) and retried and then succeed. This error is the same without my Nginx headers added... it seems like it's always been an issue (albeit requests still succeed after being retried)?

I've tried defining ‘Access-Control-Allow-Origin’ on the localhost Nginx, and the header is correctly sent to the browser. But the errors keep happening.

Is this related to something in Phanpy's configuration?

Would love a tip, if this is something you already know about ❤️

[benjaoming]

After a bit of pondering, I'm supposing this is a misconfiguration in the Mastodon instance that I'm using... it should define Access-Control-Allow-Origin: to somehow allow all requests for image files.

[benjaoming]

I think it's implicitly stated here that a Mastodon instance should allow all origins in its CDN:

https://docs.joinmastodon.org/admin/config/#cdn

[benjaoming]

Trying to see if I can get the Mastodon instance updated and returning with more info ⏳