Security concern regarding CSP and phpBB

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
Rogerjwilkinson
Registered User
Posts: 1
Joined: Sun Feb 11, 2018 2:27 am

Security concern regarding CSP and phpBB

Post by Rogerjwilkinson »

I would like to raise the current issue to the development and security team, as identified in the following thread:

https://www.phpbb.com/community/viewtop ... &t=2446506

There's a discussion ongoing there that covers the issue entirely - It was suggested I bring it to people's attention here linking to that thread.

I look forward to a response. Thank you.

User avatar
hanakin
Front-End Dev Team Lead
Front-End Dev Team Lead
Posts: 968
Joined: Sat Dec 25, 2010 9:02 pm
Contact:

Re: Security concern regarding CSP and phpBB

Post by hanakin »

Thanks for the information looks interesting if I am understanding this correctly. In essence its whitelisting of domains, server request methods, content types, protocols etc... to prevent malicious efforts via the use of HTTP headers https://github.com/twitter/secureheaders#default-values.

This may not be possible in prosilver without making several breaking changes especially to the JS, so may have to wait till the new theme to fully handle, but there is also the issue with extensions requiring custom JS/CSS that may break these rules and no longer work. Also, we would need to force it from the backend to ensure all themes have it, with that said should there be any sort of ability to customize https://github.com/BePsvPT/secure-headers?
Donations welcome via Paypal Image

Nicofuma
3.2 Release Manager
3.2 Release Manager
Posts: 299
Joined: Sun Apr 13, 2014 1:40 am
Location: Paris

Re: Security concern regarding CSP and phpBB

Post by Nicofuma »

Handling CSP in a software like phpBB while still allowing third party extensions and themes is really challenging.
CSP is already hard when you control everything in the website, but with the extensions.... we would have to expose something to let the extension's and themes authors able to specify what they need but it also means they would have to master CSPs... tbh I don't really see how it could be doable

EDIT: we could limit us to the simpler rules but... a lot of effort for not that much
Member of the phpBB Development-Team
No Support via PM

CHItA
Development Team
Development Team
Posts: 169
Joined: Thu Mar 12, 2015 1:43 pm
Location: Budapest, Hungary

Re: Security concern regarding CSP and phpBB

Post by CHItA »

I'm not quite sure based on the topic you linked what feature set would qualify as a solution to this problem, so I'm not sure if the following answers any of your questions. That said, I think the best we could do is removing all the inline JS and CSS (which we should do anyway). From that point on, it gets rather complicated to handle CSP rules even for the functionality we have built in (e.g. you could add some audio/video BBCodes, and we somehow would have to come up with a system to handle that). So I would think it would be a reasonable goal to make it as easy as possible for people to make phpBB compatible with such policies. However, I'm not quite sure if it is a good idea, to have phpBB handle the headers as probably most admins who would set up such policies would do that in the server config file anyway, so they only need to do it onces or at least have all settings at the same place.

User avatar
AmigoJack
Registered User
Posts: 110
Joined: Wed May 04, 2011 7:47 pm
Location: グリーン ヒル ゾーン
Contact:

Re: Security concern regarding CSP and phpBB

Post by AmigoJack »

Isn't the concept of CSP to yield/alert anytime when accesses happen that aren't known to you? Whatever you missed will now get your attention - the more exceptions you make, the less sense it makes to use CSP to begin with. I set this up to a maintained 3.0 installation including inline scripts and I'm glad every internet browser supporting CSP will rather reject to render a page which violates the rules, because that might mean unknown (speak: unwanted) content is involved (ads, malware, trackers...). If people already concluded that accessing third party resources is no problem then they can also ignore CSP.

Post Reply