Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Content Security Policy headers to all jQuery content sites #54

Closed
1 task done
timmywil opened this issue Jul 4, 2024 · 16 comments · Fixed by #57 or #71
Closed
1 task done

Add Content Security Policy headers to all jQuery content sites #54

timmywil opened this issue Jul 4, 2024 · 16 comments · Fixed by #57 or #71
Assignees
@timmywil
Labels
security Service: Blogs WordPress blogs. Service: Doc sites WordPress doc sites. Service: Miscweb Static sites and redirects.

Comments

@timmywil
Copy link
Member

timmywil commented Jul 4, 2024
edited
Loading

Proposed header value

"default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self';"

This should be tested with a report header first

  • Set up an endpoint that can accept security reports
@timmywil timmywil self-assigned this Jul 4, 2024
@timmywil timmywil added Service: Doc sites WordPress doc sites. security Service: Blogs WordPress blogs. Service: Miscweb Static sites and redirects. labels Jul 4, 2024
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Aug 12, 2024
@timmywil
nginx: add Content-Security-Policy-Report-Only header to all content …
e00a878 
…sites

Fixes jquerygh-54
@timmywil timmywil mentioned this issue Aug 12, 2024
Merged
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Aug 19, 2024
@timmywil
All: add Content-Security-Policy-Report-Only header to all wordpress …
d7b25d7 
…sites

Ref jquery/infrastructure-puppet#54
Ref jquery/infrastructure-puppet#57
@timmywil timmywil mentioned this issue Aug 19, 2024
Merged
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Aug 19, 2024
@timmywil
All: add Content-Security-Policy-Report-Only header to all wordpress …
4ce4448 
…sites

Ref jquery/infrastructure-puppet#54
Ref jquery/infrastructure-puppet#57
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Aug 19, 2024
@timmywil
All: add Content-Security-Policy-Report-Only header to all wordpress …
c16a9ff 
…sites

Ref jquery/infrastructure-puppet#54
Ref jquery/infrastructure-puppet#57
timmywil added a commit to timmywil/infrastructure-puppet that referenced this issue Aug 20, 2024
@timmywil
nginx: add Content-Security-Policy-Report-Only header to all content …
207632b 
…sites

Fixes jquerygh-54
@Krinkle Krinkle mentioned this issue Aug 24, 2024
Merged
Krinkle added a commit to jquery/typesense-minibar that referenced this issue Aug 24, 2024
@Krinkle
demo: Enforce <meta http-equiv="Content-Security-Policy">
e99a052 
Prevent future regressions.

Ref #3.
Ref jquery/infrastructure-puppet#54
Krinkle added a commit to jquery/jquery-wp-content that referenced this issue Aug 24, 2024
@Krinkle
All: Update typesense-minibar to 1.3.4 (CSP compliance)
9960ace 
Ref jquery/infrastructure-puppet#54.
Ref #463.
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Aug 24, 2024
@timmywil
All: add Content-Security-Policy-Report-Only header to all wordpress …
b9e7b71 
…sites

Ref jquery/infrastructure-puppet#54
Ref jquery/infrastructure-puppet#57
@timmywil
Copy link
Member Author

This also depends on jquery/jquery-wp-content#463

Also, the nginx changes are only being deployed to staging atm.

@timmywil timmywil reopened this Aug 24, 2024
@Krinkle
Copy link
Member

Krinkle commented Aug 24, 2024
edited
Loading

@timmywil Of the three changed roles, only grunt has staging. It seems https://stage.gruntjs.com/ is now down. I guess an nginx syntax error?

@timmywil
Copy link
Member Author

After consulting the docs, I don't see anything obviously wrong with the syntax. Instead, I think the issue has to do with the grunt site's use of proxy_pass. The way to address that seems to have changed over the years, but I think moving add_header to the location block will work. Also, we can add always to the end to ensure the header is sent along even in error responses.

@Krinkle Krinkle mentioned this issue Aug 26, 2024
Merged
@Krinkle
Copy link
Member

Krinkle commented Aug 26, 2024
edited
Loading

@timmywil That didn't seem to bring the site back. I tried logging into the droplet, to check its puppet log and nginx error, but it's not responding to SSH.

Looks like something on 22 Aug (two days before your first patch). Could it be a coincidence?

DigitalOcean control panel - gruntjs-02.ops.stage.jquery.net

@Krinkle
Copy link
Member

Krinkle commented Aug 26, 2024
edited
Loading

I've rebooted the instance and the site is now back up. Investigation at #60 (unrelated to this).

@Krinkle Krinkle mentioned this issue Aug 26, 2024
Closed
This was referenced Sep 5, 2024
Merged
Closed
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Sep 11, 2024
@timmywil
All: add Content-Security-Policy-Report-Only header to all wordpress …
333228f 
…sites (#463)

Ref jquery/infrastructure-puppet#54
Ref jquery/infrastructure-puppet#57
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 9, 2024
@timmywil
All: enable CSP report header on production sites
1a47589 
- disable style tag added in WordPress 6.7

Ref jquery/infrastructure-puppet#54
Closes gh-473
This was referenced Dec 14, 2024
Merged
Merged
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
jqueryui.com: add CSP exceptions for themeroller
6897151 
Ref jquery/infrastructure-puppet#54
Ref jquerygh-474
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
releases.jquery.com: fix close button icon during hover/active
8905e99 
Ref jquery/infrastructure-puppet#54
Ref jquerygh-474
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
api.jquery.com: add CSP exception for flickr for /jQuery.getJSON
3d9935c 
Ref jquery/infrastructure-puppet#54
Closes jquerygh-474
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
jqueryui.com: add CSP exceptions for themeroller
0f7a2ba 
Ref jquery/infrastructure-puppet#54
Ref gh-474
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
releases.jquery.com: fix close button icon during hover/active
13a1ba1 
Ref jquery/infrastructure-puppet#54
Ref gh-474
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
api.jquery.com: add CSP exception for flickr for /jQuery.getJSON
239b9f3 
Ref jquery/infrastructure-puppet#54
Closes gh-474
timmywil added a commit that referenced this issue Dec 15, 2024
@timmywil
blogs: add CSP report header to blog sites
7019e41 
Ref gh-54
Closes gh-72
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 15, 2024
@timmywil
jqueryui.com: add CSP exceptions for download builder
e5a9218 
Ref jquery/infrastructure-puppet#54
@timmywil timmywil mentioned this issue Dec 15, 2024
Merged
@timmywil
Copy link
Member Author

timmywil commented Dec 15, 2024
edited
Loading

Remaining items:

  • Test CSP on the blog sites. Headers have been deployed, but are not currently showing up. I'll need help looking into why.
  • Finish addressing any CSP violations for other wordpress sites.
  • Switch the wordpress header to enforced (non-report-only).
  • Switch the blogs header to enforced (non-report-only).

Then we can finally call this done, but continue watching logs for anything I missed.

timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 16, 2024
@timmywil
jqueryui.com: add CSP exceptions for download builder
12053c7 
Ref jquery/infrastructure-puppet#54
Closes gh-475
timmywil added a commit to timmywil/jquery-wp-content that referenced this issue Dec 16, 2024
@timmywil
All: switch to enforced CSP header
bbbc1f4 
Ref jquery/infrastructure-puppet#54
@timmywil timmywil mentioned this issue Dec 16, 2024
Merged
timmywil added a commit to jquery/jquery-wp-content that referenced this issue Dec 16, 2024
@timmywil
All: switch to enforced CSP header
31f2f08 
Ref jquery/infrastructure-puppet#54
Closes gh-476
@timmywil timmywil mentioned this issue Dec 24, 2024
Merged
timmywil added a commit to jquery/blog.jquery.com-theme that referenced this issue Dec 25, 2024
@timmywil
All: add CSP report only header for all blog sites
80715f1 
- allow scripts, styles, and images from code.jquery.com

Ref jquery/infrastructure-puppet#54
Closes gh-8
timmywil added a commit to timmywil/blog.jquery.com-theme that referenced this issue Dec 25, 2024
@timmywil
All: add CSP exceptions for loading klavika font from typekit
ca0852d 
Ref jquery/infrastructure-puppet#54
@timmywil timmywil mentioned this issue Dec 25, 2024
Merged
timmywil added a commit to jquery/blog.jquery.com-theme that referenced this issue Jan 5, 2025
@timmywil
All: add CSP exceptions for loading klavika font from typekit
5df1144 
Ref jquery/infrastructure-puppet#54
Closes gh-9
timmywil added a commit to timmywil/blog.jquery.com-theme that referenced this issue Jan 13, 2025
@timmywil
All: add CSP exceptions for remote images
465c894 
Ref jquery/infrastructure-puppet#54
  Closes jquerygh-10
@timmywil timmywil mentioned this issue Jan 13, 2025
Closed
timmywil added a commit to timmywil/blog.jquery.com-theme that referenced this issue Jan 14, 2025
@timmywil
All: switch CSP headers from report-only to enforced
0149873 
Ref jquery/infrastructure-puppet#54
@timmywil timmywil mentioned this issue Jan 14, 2025
Merged
timmywil added a commit to jquery/blog.jquery.com-theme that referenced this issue Jan 14, 2025
@timmywil
All: switch CSP headers from report-only to enforced
57ec359 
Ref jquery/infrastructure-puppet#54
Closes gh-11
@timmywil
Copy link
Member Author

We can finally call this done!

We'll want to double check the CSP report logs when the blogs are switched to jquery-wp-content, but no CSP exceptions should need to be added for the sake of the blog sites. The typekit exceptions won't apply because jquery-wp-content uses a self-hosted font and Timo and I migrated all remote images.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timmywil timmywil

Labels
security Service: Blogs WordPress blogs. Service: Doc sites WordPress doc sites. Service: Miscweb Static sites and redirects.
Milestone
No milestone
2 participants
@Krinkle @timmywil