I use sobelow to highlight potential security issues, and the latest version has started warning if no content-security-policy header is set. I fixed that by adding a custom header:
However, this has stopped channels from working. I’ve tried adding various versions of ws://localhost:4000 and the like, but with no success.
Does anyone have a working CSP header for use with channels?
For bonus points, what’s the best way to get the hostname to use in the policy, assuming it needs to be different in production? I could just set a config value in the environment, but is it already available somewhere?
You can pull this information from the conn. There may be a better way to do this… for example, there is no check to see if the endpoint is/should be wss.
def ws_url(conn) do
endpoint = Phoenix.Controller.endpoint_module(conn)
%{endpoint.struct_url | scheme: "ws"} |> URI.to_string()
end
Have you tried connect-src? Apparently you must define it for each scheme you use. More information here.
This was really helpful Kerry, thank you. With respect to the Sobelow warnings, did you just suppress this warning because the plug you wrote covers it? I’m able to use your plug to add a content-security-policy, but it does not pass Sobelow’s test.
Just wanted to comment on this, if someone else stumbles across this thread looking for help on fixing sobelow warning about config.CSP even though you’re setting it:
$ mix sobelow -d Config.CSP
# ...
Missing Content-Security-Policy is flagged by sobelow when a pipeline
implements the :put_secure_browser_headers plug, but does not provide a
Content-Security-Policy header in the custom headers map.
# ...
You can obviously set headers in different places, so sobelow is just looking that if you have a pipeline that calls plug :put_secure_browser_headers in your Router, that you also include a map with %{"Content-Security-Policy" => "..."} so it should look like this:
@iautom8things thanks for adding your reply! If one were to use the map like you suggested, what would folks suggest the contents to be?
When it comes to security I always defer to public and discussed solutions, since incorrect in-house solutions are usually the ones that end up failing and causing vulnerabilities.
Thanks for discussing these things in public, the community always benefits from these discussions.