unocha/ocha_security

Installs: 254

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 4

Forks: 0

Open Issues: 0

Type:drupal-module

v1.0.1 2022-06-01 09:48 UTC

This package is auto-updated.

Last update: 2024-11-29 06:36:04 UTC


README

This is primarily a helper for the seckit module. More security-related fixes that apply to all sites would be welcome.

CSP rules are a bit confusing. Add to or improve these notes if they make it more so.

Seckit module helper.

Prepares hashes, or a nonce for logged-in users, to allow CSP protection for scripts. Requires the seckit module, with this patch. (Note, the patch might soon be replaced, check status on the ticket).

This is necessary to avoid rules allowing the use of 'eval' or 'unsafe-inline', for 'script-src' which undermine the point of using the seckit module.

Note that it is recommended to use 'unsafe-inline' if a nonce or a hash is included, as this will work with CSP level 1 browsers but will be ignored by CSP level 2 browsers. Not the best reference

For logged-in users, where the page is not cached, a nonce (Number used ONCE) must be generated for each request, but can be used for all of the scripts.

For anonymous users, where the page is cached, a hash must be created for each separate script. Inline scripts use a hash of the script itself, attached files use a hash of the filename. These can be re-used across requests.

This adds hashes or a nonce to script elements, assets and attachments, and the same to the CSP directives.

Notes

@todo Find a resource to explain what Drupal means by 'element', 'asset' and 'attachment'.

Adds nonce to/ creates hash for scripts as: Elements (via pre-render hook) src/Element/OchaSecurityHtmlPreRender.php Assets src/Asset/OchaSecurityAssetResolver.php Attachments ocha_security_page_attachments_alter()

Also ensures the sameSite=Lax header for cookies, though this is now default behavior in modern browsers src/Session/OchaSecuritySessionConfiguration.php

Hashes and nonces require extra work - they "are only intended for cases where removing inline scripts is not an option" (source). We might consider using only hashes and caching them.

'strict-dynamic' overrides any allowed domains in the seckit configuration, but only for browsers which implement CSP-v3. So a nonce or hash is necessary for all scripts.