Security concern regarding CSP and phpBB

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The next feature release of phpBB 3 will be 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.1. If you need support for phpBB 3.1 please visit the 3.1.x Support Forum on

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
Registered User
Posts: 1
Joined: Sun Feb 11, 2018 2:27 am

Security concern regarding CSP and phpBB

Post by Rogerjwilkinson » Sun Feb 11, 2018 2:30 am

I would like to raise the current issue to the development and security team, as identified in the following thread: ... &t=2446506

There's a discussion ongoing there that covers the issue entirely - It was suggested I bring it to people's attention here linking to that thread.

I look forward to a response. Thank you.

User avatar
Infrastructure Team
Infrastructure Team
Posts: 822
Joined: Sat Dec 25, 2010 9:02 pm

Re: Security concern regarding CSP and phpBB

Post by hanakin » Sun Feb 11, 2018 6:24 pm

Thanks for the information looks interesting if I am understanding this correctly. In essence its whitelisting of domains, server request methods, content types, protocols etc... to prevent malicious efforts via the use of HTTP headers

This may not be possible in prosilver without making several breaking changes especially to the JS, so may have to wait till the new theme to fully handle, but there is also the issue with extensions requiring custom JS/CSS that may break these rules and no longer work. Also, we would need to force it from the backend to ensure all themes have it, with that said should there be any sort of ability to customize

3.2 Release Manager
3.2 Release Manager
Posts: 298
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Security concern regarding CSP and phpBB

Post by Nicofuma » Sun Feb 11, 2018 10:35 pm

Handling CSP in a software like phpBB while still allowing third party extensions and themes is really challenging.
CSP is already hard when you control everything in the website, but with the extensions.... we would have to expose something to let the extension's and themes authors able to specify what they need but it also means they would have to master CSPs... tbh I don't really see how it could be doable

EDIT: we could limit us to the simpler rules but... a lot of effort for not that much
Member of the phpBB Development-Team
No Support via PM

Development Team
Development Team
Posts: 151
Joined: Thu Mar 12, 2015 1:43 pm
Location: Budapest, Hungary

Re: Security concern regarding CSP and phpBB

Post by CHItA » Sun Feb 11, 2018 11:44 pm

I'm not quite sure based on the topic you linked what feature set would qualify as a solution to this problem, so I'm not sure if the following answers any of your questions. That said, I think the best we could do is removing all the inline JS and CSS (which we should do anyway). From that point on, it gets rather complicated to handle CSP rules even for the functionality we have built in (e.g. you could add some audio/video BBCodes, and we somehow would have to come up with a system to handle that). So I would think it would be a reasonable goal to make it as easy as possible for people to make phpBB compatible with such policies. However, I'm not quite sure if it is a good idea, to have phpBB handle the headers as probably most admins who would set up such policies would do that in the server config file anyway, so they only need to do it onces or at least have all settings at the same place.

Post Reply