Edit Content Security Policy

digitalfactory · June 28, 2024, 12:30pm

Description

I would like to edit the Content Security Policy as the default one may not be compliant and I would like to ask is it possible to have a custom Content Security Policy?

Understand that we can turn off the ‘Enable Content Security policy’ but it does not help us in the situation as it will remove the CSP completely. The function of Extra CSP Domains will only add to the default Content-Security-Policy.

Steps to reproduce:

1. Make any valid request to a self-hosted rocketchat:
e.g. curl -v -k https://“rocketchat domain”
1. Observe the response headers to see the following:
- The deprecated “X-XSS-Protection” header is in use.
- The “Content-Security-Policy” uses unsafe values such as “unsafe-eval”.
- The “Content-Security-Policy” is missing the “object-src” directive.
- The deprecated “Pragma” header is in use.

Configuration that we would like to set:

Remove the deprecated X-XSS-Protection headers.
Remove the unsafe values from the script-src directive in the Content-Security-Policy such as unsafe-eval
Set an appropriate value for the object-src directive in the Content-Security-Policy such as none
Remove the deprecated Pragma header if it is not required

Server Setup Information

Version of Rocket.Chat Server: v6.9.2
Operating System: Linux
Deployment Method: docker
Number of Running Instances: 1 server and 1 database instance
NodeJS Version: 14.21.3
MongoDB Version: 6.0.15

reetp · June 28, 2024, 2:30pm

Ah - so you opened these issues?

github.com/RocketChat/Rocket.Chat

Host Header Injection

opened 04:52AM - 28 Jun 24 UTC

irfanasyraf

stat: in progress

### Description: Make a request directly to the following host via HTTP (Port… 80) with an arbitrary domain in the "Host" header. e.g. curl -v -k "Host: test123.com" https://"rocketchat domain" Observe the redirect to the inserted domain. ### Expected behavior: The redirect should not happen based on the "Host" header value and it should be rejected. The web application profile is specifically bound to the correct host name to ensure that arbitrary host names sent to the web server will not reach the application. When validating the host headers, a whitelist approach where only allowed domains are declared should be preferred over a blacklist. ### Actual behavior: It was observed that the user is redirected based on the "Host" header value ### Server Setup Information: - Version of Rocket.Chat Server: v6.9.2 - Operating System: Linux - Deployment Method: docker (taken from OpenSource Rocketchat Docker) - Number of Running Instances: 1 server 1 Database - MongoDB Version: 6.0.15

github.com/RocketChat/Rocket.Chat

Overly Permissive Cross Origin Resource Sharing Policy

opened 07:50AM - 28 Jun 24 UTC

irfanasyraf

stat: in progress

### Description: The Cross Origin Resource Sharing Policy refers to the domai…ns which are allowed to use resources from the server. The allowed domains are indicated in the "Access-Control-Allow-Origin" HTTP response header. It was observed the server uses a wildcard for Cross-Origin Resource Sharing (CORS). This allows arbitrary domains to inBH-0Steract with the application which would allow an attacker to exploit that trust relationship. Is there any way we can remove the **'Cross-Origin-Resource-Policy'** completely? **Risk Rating: Low CVSS: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:C - 2.9 CWE: CWE-942: Overly Permissive Cross-domain Whitelist** ### Steps to reproduce: 1. Make any valid request to the following host with an arbitrary domain in the "Origin" header value and observe the server's response. **e.g. curl -v -k "Host: test123.com" https://"rocketchat domain"** ### Expected behavior: It is recommended to remove the wildcard from the Cross Origin Resource Sharing policy. Only trusted domains that require access should be allowed and the domains should be stated explicitly. If the headers are not required, it should be disabled. ### Actual behavior: [ <img width="492" alt="Screenshot 2024-06-28 at 3 40 11 PM" src="https://github.com/RocketChat/Rocket.Chat/assets/91171735/d4d176dc-2349-4fe4-946c-2ed00544dc2e"> ](url) ### Server Setup Information: Version of Rocket.Chat Server: v6.9.2 Operating System: Linux Deployment Method: docker (taken from OpenSource Rocketchat Docker) Number of Running Instances: 1 server 1 Database MongoDB Version: 6.0.13

Please stay in one place as it gets confusing to manage. I suggest stay in the issues.

I have requested some attention on both the issues but I have no idea on the outcome.

If they are considered a security issue they will of course be dealt with.

If they are essentially a feature request then there is no guarantee of the outcome. PRs are of course welcome.

See what the devs say.

NB - I think you are trying to test against say 127.0.0.1:3000

Rocket does not recommend anyone runs Rocket.Chat via http or directly. It should always behind a reverse proxy.

digitalfactory · June 28, 2024, 3:37pm

Hi,

Thank You for the swift response by the team!

Understand on staying in one place as I was unsure which forum would be better suited to my queries.

In any case, is it correct to say that there is no way to edit the default CSP, provided that I set up an nginx reverse proxy at the front and configure my own proxy header for the CSP?

Appreciate your help and thank you!

reetp · June 29, 2024, 10:02am

The short answer to fix the issue is to front with a proxy.

This is well documented.

https://docs.rocket.chat/docs/configuring-ssl-reverse-proxy

Personally I use apache for historical reasons, but same thing and I do not see your issue on my servers unless I connect directly locally and bypassing the proxy.

As far as your issue is concerned it is being looked at, but no idea on outcome. It will pass through the usual backend processes.

Follow on github.

digitalfactory · July 4, 2024, 4:11am

Hi,

Noted on the recommendations. I will configure it on my end.

Thank you for the clarification!

digitalfactory · July 22, 2024, 12:41pm

Hi Team,

I was successfully able to remove the deprecated X-XSS-Protection and the add the “object-src” directive as per my question from above via installing apache at infront of the application.

However I ran into an issue while trying to remove unsafe-eval from the Content-Security-Policy.

The error message I discovered after inspecting the page when it is loading is as below:

"EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’”

I would like to enquire if the unsafe-eval is needed while running the application or is there a CSP we can follow?

The reason for this is because we are following a security best practice and one of the recommendation is to remove ‘unsafe-eval’ from the Content-Security-Policy

digitalfactory · July 22, 2024, 12:41pm

We have also recently upgraded to Rocketchat Version 6.10.0 and MongoDB Version 6.0.16 FYI

reetp · July 22, 2024, 9:12pm

Careful you aren’t chasing ghosts.

Make sure all your domain setup is correct on both your Rocket server, and Apache.

Remember, on your proxy you can fudge just about anything you want.

Topic		Replies	Views
Content-Security-Policy errors integrating Omnichannel LiveChat in my web Community Support	5	3018	March 10, 2023
Failed to set content security policy CSP Community Support	1	1427	February 16, 2022
Repeated Site URL configuration warnings, even though the value is correctly entered Community Support	1	1354	February 3, 2022
Chrome's safe browser detects a site (Deceptive site ahead) Community Support rocketchat-apps , docker	3	376	August 10, 2023
After enabling Force SSL, redirect loop Community Support	0	405	October 7, 2021

[Rocket.Chat v7.0: Join the webinar] Roadmap Reveal: on-prem AI, VoIP, and more! Save your seat ->

Edit Content Security Policy

Description

Server Setup Information

Related topics