3

I'd like to set a content security policy header for a Joomla website running on Apache 2.4.

Using this configuration from h5bp and setting Header set Content-Security-Policy "script-src 'self'; object-src 'self'" gives me a blank page for the Joomla login page at www.example.com/administrator/. How can I use this policy and still log in?

Checking the console, the error message is:

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://www.example.com").

The administrator page is entirely served from example.com, there is no third-party content. The site works perfectly except for the blank page on the login page with the policy set. Checking the /administrator page source, it looks completely ordinary except that the JS isn't run. A copy of the complete page source is here.

Because I have whitelisted example.com with "script-src 'self'; object-src 'self'" I expect that the page will render but I'm obviously missing something.

I've now re-tested this with a new VPS and clean install of Joomla with no customisations. Setting the content security policy and restarting Apache immediately reproduces the issue - totally blank admin page with accompanying console error in the browser complaining about the policy blocking the loading of resources. Changing "script-src 'self' to "script-src 'example.com' or "script-src 'IP:AD:DR:ESS' doens't help, all scripts are blocked, period.

Any idea how to get this working or further troubleshoot it?

Tom Brossman
  • 301
  • 3
  • 12
  • Could this be a problem with mixed-content? In other words, are you loading your page at https://www.example.com and the script is trying to load from http://www.example.com? Whether www is present in both could also be a problem. Can you update the question with both the source code snippet containing the line of HTML that is being blocked? – rbhitchcock May 20 '15 at 18:39
  • Some formatting was lost in your comment but no, it isn't a `https://` mixed-content issue as the site is HTTP only, and the links are all relative so they work regardless of the domain's root. The page is totally blank in browsers that respect the policy, so there's no code to inspect. IE happily loads the page but produces no errors, as it is unaware of the restriction. – Tom Brossman May 21 '15 at 07:25
  • One thing I would suggest to continue troubleshooting is to replace `script-src 'self'` with `script-src http://example.com`. This might help you narrow in on the problem. I also suggest trying a different browser and comparing error messages. If you've already tried that and are still having problems, I'm not sure what else to suggest other than perhaps providing the exact HTTP header included in the HTTP response along with a snippet of the source code (not from the browser "View Source" option, but from the source code itself). – rbhitchcock May 22 '15 at 14:24
  • @rbhitchcock Appreciate the continued help but no luck yet. I've edited the question to hopefully make it simpler. Problem is instantly reproducible on a new server & clean Joomla install - set the policy, restart Apache, and no more /administrator page with Firefox or Chrome. – Tom Brossman May 24 '15 at 19:22

1 Answers1

3

After looking at the source code, it appears that the error message is erroneous and misleading. What appears to be causing your problem is that there are several inline JavaScript elements. In other words, the policy you are defining allows content like this:

<script src="/media/myjsfile.js"></script>

But not like this:

<script>function myJsFunction()</script>

In order to allow inline JavaScript (not recommended as this defeats the purpose of using CSP), you need to modify your policy to something like:

script-src 'self' 'unsafe-inline'

Alternatively, you can refactor the code to not use inline JS, or take advantage of the nonce attribute. Keep in mind that support for the nonce attribute is not currently present in all browsers (it is part of the latest spec for Content Security Policy). To my knowledge, it is currently only supported in Chrome.

rbhitchcock
  • 146
  • 3