Edit Content Security Policy

digitalfactory · June 28, 2024, 12:30pm

Description

I would like to edit the Content Security Policy as the default one may not be compliant and I would like to ask is it possible to have a custom Content Security Policy?

Understand that we can turn off the ‘Enable Content Security policy’ but it does not help us in the situation as it will remove the CSP completely. The function of Extra CSP Domains will only add to the default Content-Security-Policy.

Steps to reproduce:

1. Make any valid request to a self-hosted rocketchat:
e.g. curl -v -k https://“rocketchat domain”
1. Observe the response headers to see the following:
- The deprecated “X-XSS-Protection” header is in use.
- The “Content-Security-Policy” uses unsafe values such as “unsafe-eval”.
- The “Content-Security-Policy” is missing the “object-src” directive.
- The deprecated “Pragma” header is in use.

Configuration that we would like to set:

Remove the deprecated X-XSS-Protection headers.
Remove the unsafe values from the script-src directive in the Content-Security-Policy such as unsafe-eval
Set an appropriate value for the object-src directive in the Content-Security-Policy such as none
Remove the deprecated Pragma header if it is not required

Server Setup Information

Version of Rocket.Chat Server: v6.9.2
Operating System: Linux
Deployment Method: docker
Number of Running Instances: 1 server and 1 database instance
NodeJS Version: 14.21.3
MongoDB Version: 6.0.15

reetp · June 28, 2024, 2:30pm

Ah - so you opened these issues?

github.com/RocketChat/Rocket.Chat

Host Header Injection

opened 04:52AM - 28 Jun 24 UTC

irfanasyraf

stat: in progress

### Description: Make a request directly to the following host via HTTP (Port… 80) with an arbitrary domain in the "Host" header. e.g. curl -v -k "Host: test123.com" https://"rocketchat domain" Observe the redirect to the inserted domain. ### Expected behavior: The redirect should not happen based on the "Host" header value and it should be rejected. The web application profile is specifically bound to the correct host name to ensure that arbitrary host names sent to the web server will not reach the application. When validating the host headers, a whitelist approach where only allowed domains are declared should be preferred over a blacklist. ### Actual behavior: It was observed that the user is redirected based on the "Host" header value ### Server Setup Information: - Version of Rocket.Chat Server: v6.9.2 - Operating System: Linux - Deployment Method: docker (taken from OpenSource Rocketchat Docker) - Number of Running Instances: 1 server 1 Database - MongoDB Version: 6.0.15

github.com/RocketChat/Rocket.Chat

Overly Permissive Cross Origin Resource Sharing Policy

opened 07:50AM - 28 Jun 24 UTC

irfanasyraf

stat: in progress

### Description: The Cross Origin Resource Sharing Policy refers to the domai…ns which are allowed to use resources from the server. The allowed domains are indicated in the "Access-Control-Allow-Origin" HTTP response header. It was observed the server uses a wildcard for Cross-Origin Resource Sharing (CORS). This allows arbitrary domains to inBH-0Steract with the application which would allow an attacker to exploit that trust relationship. Is there any way we can remove the **'Cross-Origin-Resource-Policy'** completely? **Risk Rating: Low CVSS: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C - 2.9 CWE: CWE-942: Overly Permissive Cross-domain Whitelist** ### Steps to reproduce: 1. Make any valid request to the following host with an arbitrary domain in the "Origin" header value and observe the server's response. **e.g. curl -v -k "Host: test123.com" https://"rocketchat domain"** ### Expected behavior: It is recommended to remove the wildcard from the Cross Origin Resource Sharing policy. Only trusted domains that require access should be allowed and the domains should be stated explicitly. If the headers are not required, it should be disabled. ### Actual behavior: [ <img width="492" alt="Screenshot 2024-06-28 at 3 40 11 PM" src="https://github.com/RocketChat/Rocket.Chat/assets/91171735/d4d176dc-2349-4fe4-946c-2ed00544dc2e"> ](url) ### Server Setup Information: Version of Rocket.Chat Server: v6.9.2 Operating System: Linux Deployment Method: docker (taken from OpenSource Rocketchat Docker) Number of Running Instances: 1 server 1 Database MongoDB Version: 6.0.13

Please stay in one place as it gets confusing to manage. I suggest stay in the issues.

I have requested some attention on both the issues but I have no idea on the outcome.

If they are considered a security issue they will of course be dealt with.

If they are essentially a feature request then there is no guarantee of the outcome. PRs are of course welcome.

See what the devs say.

NB - I think you are trying to test against say 127.0.0.1:3000

Rocket does not recommend anyone runs Rocket.Chat via http or directly. It should always behind a reverse proxy.

digitalfactory · June 28, 2024, 3:37pm

Hi,

Thank You for the swift response by the team!

Understand on staying in one place as I was unsure which forum would be better suited to my queries.

In any case, is it correct to say that there is no way to edit the default CSP, provided that I set up an nginx reverse proxy at the front and configure my own proxy header for the CSP?

Appreciate your help and thank you!

reetp · June 29, 2024, 10:02am

The short answer to fix the issue is to front with a proxy.

This is well documented.

https://docs.rocket.chat/docs/configuring-ssl-reverse-proxy

Personally I use apache for historical reasons, but same thing and I do not see your issue on my servers unless I connect directly locally and bypassing the proxy.

As far as your issue is concerned it is being looked at, but no idea on outcome. It will pass through the usual backend processes.

Follow on github.

digitalfactory · July 4, 2024, 4:11am

Hi,

Noted on the recommendations. I will configure it on my end.

Thank you for the clarification!

Topic		Replies	Views
"Layout > Custom Scripts > Custom Script for Logged In Users" problem Community Support rocketchat-apps	3	748	March 31, 2023
Persmissions->Settings are all false and modifying them does nothing Community Support	0	172	June 17, 2023
Disable concurrent login Community Support rocketchat-apps , docker	6	50	July 4, 2024
Security related quetions Community Support	1	668	November 12, 2019
Upcoming changes to identity management integrations Announcements	105	22723	February 16, 2022

Join our Community Open Call tomorrow where we'll share more details regarding recent changes and answer questions about updating your workspace to the latest Rocket.Chat

Edit Content Security Policy

Description

Server Setup Information

Related Topics