Prestashop is not compatible with Content-Security-Policy [CSP]

[seog]

HI

 

Because prestashop may have security holes in some of his modules (as sendtofriend that I suffered chinese spam), I added hardnest to my VPS with some security paths.

 

If you try add "Content-Security-Policy" in your web then your JS crash your web in backoffice and frontoffice due to Prestashop unsafe inline Javascript or external JS loaded.

 

Do you know when Prestashop fix it or do you know what urls/paths should be added in Content security policy for fix Prestashop Javascript issues?

 

Example:

Content-Security-Policy: default-src 'strict-dinaymic' http://cdn.prestashopJSpath; object-src 'none'

 

Best regards

Edited June 12, 2017 by seog (see edit history)

[bellini13]

Well you added a CDN to the mix.  You will have to configure your webserver to add the proper headers to the resources so that the CDN can properly serve those resources.  This really has nothing to do with Prestashop

[seog]

No, I tested cloudflare cdn but I obtain more performarce without cdn. My website is without CDN

 

Issue is prestashop unsafe inline javascript: http://forge.prestashop.com/browse/PSCFV-3047

 

For fix it, would be necessary to add all prestashop JS inline paths used in backoffice/frontoffice in default-src (where prestashop store it as cdns, tinymce urls etc)

 

 

I understand that Prestashop should be know what Content-security-Policy would be compatible with backoffice and frontoffice

 

NOTE: I have not any external js or css in my site, example: all my fonts not call to google fonts because I downloaded it and uploaded directly to my server (full local server)

[bellini13]

I think you referenced a forge item that was created for PS v1.5 and closed in 2012.  I'm not aware of the issue you are referring to regarding inline javascript as it relates to CSP

 

Do you want to provide an exact example of what is failing CSP in the front or back office?  Or perhaps create your own forge ticket for PS v1.6 or v1.7 where you believe an issue exists?

[seog]

Hi bellini13

 

Issue is that Prestashop backoffice load inline scripts from outside of your web (JS and CSS), then you cant stop hacks of javasript of bad users because your backoffice breaks if you add any of following security directives:

 

Content-Security-Policy: default-src 'none'; script-src https://www.mywebiste.com (Global issue)

Content-Security-Policy: default-src 'self'; (Global issue)

Content-Security-Policy: default-src https:; (Mainly errors due to third party modules)

Content-Security-Policy-Report-Only: default-src 'unsafe-inline' 'unsafe-eval' (Js inline prestashop issue)

 

The solution could be add all links from where Prestashop is loaded in your backoffice including his addons cdn urls, etc

 

I ask to some user if he knows about what directive could be compatible with prestashop

 

Best regards

Edited June 14, 2017 by seog (see edit history)

[seog]

Checking errors, I resume it:

 

index.php (unsafe-inline)

jquery-1.11.0.min.js

help.js

 

Frontoffice breaks fully

[pixelicous]

This is a very important topic, working on my CSP now and i stumble upon many problems with prestashop.

It is very hard currently to implement content security policy.

Too much inline styling even out of the box.

The default ps google modules do not allow implementation of server NONCE oob (some official docs from google here)

 

After reading this here i still think there is much to be done in terms of security. Security should be a requirement, many modules and themes are probably breaking prestashop's security. And even outside the scope of third party modules, some default prestashop modules still trigger CSP warning reports due to inline of javascript, like the google analytics code and the cart module.

Edited July 19, 2020 by pixelicous (see edit history)

[Thomas777]

So, how you exluded your ip on the backoffice?