Set the form-action directive in the report-only CSP
#15554
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #15554 +/- ##
=======================================
Coverage 79.06% 79.06%
=======================================
Files 160 160
Lines 8355 8356 +1
=======================================
+ Hits 6606 6607 +1
Misses 1749 1749 ☔ View full report in Codecov by Sentry. |
robhudson
changed the title
form-action direction in the report-only CSPform-action directive in the report-only CSP
bedrock/settings/__init__.py
Outdated
| @@ -127,6 +127,7 @@ | |||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE] | |||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE] | |||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["style-src"].remove(csp.constants.UNSAFE_INLINE) | |||
| CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["form-action"] = [csp.constants.SELF, BASKET_URL, FXA_ENDPOINT] | |||
There was a problem hiding this comment.
question: FXA_ENDPOINT has a trailing slash and BASKET_URL does not. Is that gonna cause any wrinkles or is CSP smart enough to strip trailing slashes?
There was a problem hiding this comment.
Thanks for noticing that. The browser, from what I've read, doesn't really differentiate, so this should be fine. But I'm a fan of consistency so perhaps I'll add some trailing slash stripping.
There was a problem hiding this comment.
NB: The slash has a function in CSP wrt to being a path component (i.e. an implicit wildcard after it) or not.
There was a problem hiding this comment.
There was a problem hiding this comment.
Looking at the CSP path-part-match rules more closely...
- With
https://example.com/in our CSP, a form submit tohttps://example.com/matches. - With
https://example.comin our CSP (no path), a form submit tohttps://example.com/matches, since when split on'/', the path is empty string.
And vice-versa for the form submit to the non-slash URL.
Focusing on the BASKET_URL, however, reading the path-part-match rules @janbrasna mentioned, we would want the trailing slash for the basket URL. Without the trailing slash it is in "exact match" mode and a form submit to an actual path would fail. In the comment above I was just looking at the FXA_ENDPOINT in our code where we don't use any path.
So the slash is important, just not necessarily if we're submitting to "" vs /.
@janbrasna - does that "match" your understanding of it?
There was a problem hiding this comment.
I'm working on adding some more basket APIs under /api/. So I'd probably keep that one at the root level for now. Then again, the ones under /api/ are more for javascript, not form submits.
There was a problem hiding this comment.
Updated the basket URL to {BASKET_URL}/news/. This change ensures that CSP's path-part matching rules allow any endpoint under this URL (e.g., {BASKET_URL}/news/subscribe/) to be valid as a form action, instead of requiring an exact match.
There was a problem hiding this comment.
Looking at this in context of #15787 — even if that's a JSON-only API, it still formally uses form's action; so thinking about how important It would be to support submitting that form (in nonJS, or in case the JS loading fails etc.; to still allow users to recover(?)…)
There was a problem hiding this comment.
@alexgibson Any thoughts on the progressive enhancement Jan mentions above?
Summary:
- Setting
form-actionallows the form to submit to these endpoints. Currently, if the PR in 15787 lands, that changes the form action endpoint to one that isn't in this PR. That wasn't intentional but does bring up the point. - The
form-actiondoesn't affect javascript submitting the form to an endpoint --connect-srcdoes and all of basket is already supported there.
My assumption is we do appreciate progressive enhancement although I think we depend on JS for newsletter management. And I would add the new API URL to form-action here if #15787 lands first.
There was a problem hiding this comment.
@robhudson the current version of the newsletter recovery form does work with JS disabled, however it's not really a great user experience, and the newsletter management form itself (which this form leads directly to) already relies on JS to function. So progressive enhancement here is not really a huge concern imho.
Perhaps we should add a message for users with JS disabled to #15787, similar to how we do for the management center? (I'll take a look at that PR next too).
robhudson
force-pushed
the
csp-form-action
branch
from
572113c to
e920900
Compare
robhudson
force-pushed
the
csp-form-action
branch
from
e920900 to
5b63712
Compare
Summary
This PR introduces the
form-actiondirective to the report-only Content Security Policy (CSP) header. The goal is to test and evaluate its compatibility before eventually applying it to the enforced CSP header. Theform-actiondirective restricts where forms on the site can send their data upon submission, adding an additional layer of security to prevent potential vulnerabilities.Why
form-actionis Important for SecurityThe
form-actiondirective is a key security measure designed to mitigate attacks that exploit form submissions, such as:By specifying trusted domains or paths for form submissions,
form-actionensures that forms behave only as intended and cannot be abused for unauthorized data capture.Next Steps
form-action.References
MDN Documentation on
form-actionI used an AI to write some of this code.
Issue / Bugzilla link
#15553 (from #11943)
Testing
form-actiondirective in the report-only CSP header locally.DEBUG=False- CSP headers aren't added while in DEBUG modeCSP_RO_REPORT_URI=/csp-violation- the report-only header will only be added if this is set.