Optimized CSP

Solved path bug
Solved variable bug
2025-06-25 11:45:32 +02:00 · 2025-05-19 10:05:30 +02:00 · 2025-05-19 09:04:16 +02:00 · 2025-05-19 08:45:25 +02:00
8 changed files with 57 additions and 8 deletions
--- a/filter_plugins/csp_filters.py
+++ b/filter_plugins/csp_filters.py
@ -120,6 +120,16 @@ class FilterModule(object):
                ):
                    tokens.append('https://www.google.com')

+                # Enable loading via ancestors
+                if (
+                    self.is_feature_enabled(applications, 'portfolio_iframe', application_id)
+                    and directive == 'frame-ancestors'
+                ):
+                    domain = domains.get(application_id)  # e.g. "sub.example.com" or "example.com"
+                    # Extract the second-level + top-level domain and prefix with "*."
+                    sld_tld = ".".join(domain.split(".")[-2:])  # yields "example.com"
+                    tokens.append(f"*.{sld_tld}")               # yields "*.example.com"
+
                # whitelist
                tokens += self.get_csp_whitelist(applications, application_id, directive)

--- a/group_vars/all/15_about.yml
+++ b/group_vars/all/15_about.yml
@ -9,12 +9,12 @@ defaults_service_provider:
      city:         "Cybertown"
      postal_code:  "00001"
      country:      "Nexusland"
-    logo:           "{{ applications.assets_server.url | safe_var | safe_join('logo.png') }}"
+    logo:           "{{ applications.assets_server.url | safe_var | safe_join('img/logo.png') }}"
  platform:    
    titel:          "CyMaIS Demo"
    subtitel:       "The Future of Self-Hosted Infrastructure. Secure. Automated. Sovereign."
-    logo:           "{{ applications.assets_server.url | safe_var | safe_join('logo.png') }}"
-    favicon:        "{{ applications.assets_server.url | safe_var | safe_join('favicon.ico') }}"
+    logo:           "{{ applications.assets_server.url | safe_var | safe_join('img/logo.png') }}"
+    favicon:        "{{ applications.assets_server.url | safe_var | safe_join('img/favicon.ico') }}"
  contact:
    bluesky: >-
      {{ ('@' ~ users.administrator.username ~ '.' ~ domains.bluesky.api)
--- a/roles/docker-keycloak/vars/configuration.yml
+++ b/roles/docker-keycloak/vars/configuration.yml
@ -6,7 +6,7 @@ import_realm:         True                                # If True realm will b
 credentials:
 features:
  matomo:             true
-  css:                true
+  css:                false
  portfolio_iframe:   true
  ldap:               true
  central_database:   true
--- a/roles/docker-peertube/vars/configuration.yml
+++ b/roles/docker-peertube/vars/configuration.yml
@ -1,7 +1,7 @@
 version:              "bookworm"
 features:
  matomo:             true
-  css:                true
+  css:                false
  portfolio_iframe:   false
  central_database:   true
 csp:
--- a/roles/docker-pgadmin/vars/configuration.yml
+++ b/roles/docker-pgadmin/vars/configuration.yml
@ -12,4 +12,13 @@ features:
  css:                    true
  portfolio_iframe:     false
  central_database:       true
-  oauth2:                 true
+  oauth2:                 true
+csp:
+  flags:
+    style-src:
+      unsafe-inline: true
+    script-src:
+      unsafe-inline: true
+  whitelist:
+    font-src:
+      - "data:"
--- a/roles/docker-phpmyadmin/vars/configuration.yml
+++ b/roles/docker-phpmyadmin/vars/configuration.yml
@ -9,4 +9,10 @@ features:
  portfolio_iframe: false
  central_database:   true
  oauth2:             true
-hostname:             central-mariadb
+hostname:             central-mariadb
+csp:
+  flags:
+    style-src:
+      unsafe-inline: true
+    script-src:
+      unsafe-inline: true
--- a/roles/nginx-serve-assets/vars/configuration.yml
+++ b/roles/nginx-serve-assets/vars/configuration.yml
@ -1,4 +1,4 @@
 source_directory: "{{ playbook_dir }}/assets"                             # Directory from which the assets will be copied
 url: >-
  {{ (web_protocol ~ '://' ~ domains.file_server | safe_var ~ '/assets')
-     if applications.assets_server.url | safe_var else '' }}
+     if domains.file_server | safe_var else '' }}
--- a/tests/unit/test_csp_filters.py
+++ b/tests/unit/test_csp_filters.py
@ -167,5 +167,29 @@ class TestCspFilters(unittest.TestCase):
        )
        self.assertNotIn("https://www.google.com", header_disabled)

+    def test_build_csp_header_frame_ancestors(self):
+        """
+        frame-ancestors should include the wildcarded SLD+TLD when
+        'portfolio_iframe' is enabled, and omit it when disabled.
+        """
+        # Ensure feature enabled and domain set
+        self.apps['app1']['features']['portfolio_iframe'] = True
+        # simulate a subdomain for the application
+        self.domains['app1'] = 'sub.domain-example.com'
+        
+        header = self.filter.build_csp_header(self.apps, 'app1', self.domains, web_protocol='https')
+        # Expect '*.domain-example.com' in the frame-ancestors directive
+        self.assertRegex(
+            header,
+            r"frame-ancestors\s+'self'\s+\*\.domain-example\.com;"
+        )
+
+        # Now disable the feature and rebuild
+        self.apps['app1']['features']['portfolio_iframe'] = False
+        header_no = self.filter.build_csp_header(self.apps, 'app1', self.domains, web_protocol='https')
+        # Should no longer contain the wildcarded sld.tld
+        self.assertNotIn("*.domain-example.com", header_no)
+
+
 if __name__ == '__main__':
    unittest.main()
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	cc3f5d75ea	Optimized CSP	2025-05-19 10:05:30 +02:00
Kevin Veen-Birkenbach	ab8b99b2c1	Solved path bug	2025-05-19 09:04:16 +02:00
Kevin Veen-Birkenbach	35446b6d94	Solved variable bug	2025-05-19 08:45:25 +02:00