Add Content Security Policy headers to all jQuery content sites

[timmywil]

Proposed header value

"default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self';"

This should be tested with a report header first

• Set up an endpoint that can accept security reports

[timmywil]

This also depends on jquery/jquery-wp-content#463

Also, the nginx changes are only being deployed to staging atm.

[Krinkle]

@timmywil Of the three changed roles, only grunt has staging. It seems https://stage.gruntjs.com/ is now down. I guess an nginx syntax error?

[timmywil]

After consulting the docs, I don't see anything obviously wrong with the syntax. Instead, I think the issue has to do with the grunt site's use of proxy_pass. The way to address that seems to have changed over the years, but I think moving add_header to the location block will work. Also, we can add always to the end to ensure the header is sent along even in error responses.

[Krinkle]

@timmywil That didn't seem to bring the site back. I tried logging into the droplet, to check its puppet log and nginx error, but it's not responding to SSH.

Looks like something on 22 Aug (two days before your first patch). Could it be a coincidence?

[Krinkle]

I've rebooted the instance and the site is now back up. Investigation at #60 (unrelated to this).

[timmywil]

With the merging of jquery/jquery-wp-content#463, all staging sites (and all non-wordpress prod sites) now have CSP report headers. The next step will be to test all these sites and fix their issues. Once we've addressed any issues, we can deploy the report-only headers to production. We'll then test all the production sites. Then, we'll switch to real CSP headers.

Non-wordpress sites

• https://gruntjs.com
  • There's an unsafe-eval on https://gruntjs.com/plugins. It will require either (1) adding unsafe-eval to script-src, (2) upgrading jQuery and adding unsafe-inline to script-src (because jQuery started using script tags instead of eval), or (3) re-implement plugin search completely
• https://demos.jquerymobile.com/
  • unsafe-eval used for syntax highlighting (every page)
  • many fonts loaded from google
  • data: SVG images
• https://podcast.jquery.com
  • add media-src exception for content.jquery.com
  • Switch http to https in podcast.jquery.com repo
• https://themeroller.jquerymobile.com/ (lots of issues here)
• https://bugs.jquery.com/
  • inline style on milestones page
  • add script-src exception for wasm-unsafe-eval for use of WebAssembly in Pagefind
• https://bugs.jqueryui.com/
  • inline style on milestones page
  • add script-src exception for wasm-unsafe-eval for use of WebAssembly in Pagefind
• https://plugins.jquery.com
  • add img-src exception for secure.gravatar.com
  • add script-src exception for wasm-unsafe-eval for use of WebAssembly in Pagefind

Wordpress staging sites

• https://stage.jquery.com
• https://stage.api.jquery.com
• https://stage.jqueryui.com/
• https://stage.api.jqueryui.com/
  • stylesheet loaded from code.jquery.com
• https://stage.jquerymobile.com/
  • inline styles on resources page
• https://stage.api.jquerymobile.com/
  • stylesheet loaded from code.jquery.com
• https://stage.learn.jquery.com/
• https://stage.releases.jquery.com/
  • stylesheets loaded from code.jquery.com
  • images loaded from code.jquery.com
• https://stage.brand.jquery.org/
• https://stage.contribute.jquery.org/
  • video loaded from Vimeo at https://stage.contribute.jquery.org/markup-conventions/#embeds
• https://stage.meetings.jquery.org/

[Krinkle]

@timmywil It seems even after #61, Firefox still reports the following console warning:

Content-Security-Policy: This site (https://stage.gruntjs.com/) has a Report-Only policy without a report-uri directive nor a report-to directive. CSP will not block and cannot report violations of this policy.

Looking the HTTP response:

content-security-policy-report-only: default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-to https://csp-report-api.openjs-foundation.workers.dev/

This doesn't contain the relevant change.

Looking at the server:

gruntjs-03: sudo journalctl -u puppet
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Profile::Gruntjscom/Nginx::Site[gruntjscom]/File[/etc/nginx/sites-available/gruntjscom]/content) content changed '{sha256}652386e2d2d1f1c33>
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Nginx/Exec[nginx-reload]/returns) Job for nginx.service failed.
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Nginx/Exec[nginx-reload]/returns) See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
Sep 11 15:41:36 gruntjs-03 puppet-agent[84450]: (/Stage[main]/Nginx/Exec[nginx-reload]) Failed to call refresh: '/usr/sbin/service nginx reload' returned 1 instead of one of [0]

gruntjs-03$ systemctl status nginx.service
Sep 11 15:41:36 gruntjs-03 nginx[84606]: 2024/09/11 15:41:36 [emerg] 84606#84606: invalid number of arguments in "add_header" directive in /etc/nginx/sites-enabled/gruntjscom:24

So it has protected itself by keeping the server running with the previous configuration for now.

[timmywil]

Sorry about that. I'll look into it.

[timmywil]

I think it's just a missing semicolon