Paths

Table of Contentst

Differential D19156

Never generate file download forms which point to the CDN domain, tighten "form-action" CSP
ClosedPublic
Actions

Authored by epriestley on Mar 1 2018, 12:55 AM.

Tags

None

Referenced Files

	F13089774: D19156.diff
	Thu, Apr 25, 2:00 AM

	Unknown Object (File)
	Fri, Apr 19, 7:28 PM

	Unknown Object (File)
	Wed, Apr 17, 10:25 PM

	Unknown Object (File)
	Wed, Apr 3, 9:19 AM

	Unknown Object (File)
	Sat, Mar 30, 4:29 PM

	Unknown Object (File)
	Mar 20 2024, 3:37 AM

	Unknown Object (File)
	Mar 19 2024, 3:26 PM

	Unknown Object (File)
	Mar 19 2024, 3:26 PM

View All 83 Files

Subscribers

Restricted Owners Package

Details

Reviewers: None
Maniphest Tasks: T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
T13094: Improve file behaviors around POST requests and downloads
Commits: rPab579f251110: Never generate file download forms which point to the CDN domain, tighten "form…

Summary

Depends on D19155. Ref T13094. Ref T4340.

We can't currently implement a strict form-action 'self' content security policy because some file downloads rely on a <form /> which sometimes POSTs to the CDN domain.

Broadly, stop generating these forms. We just redirect instead, and show an interstitial confirm dialog if no CDN domain is configured. This makes the UX for installs with no CDN domain a little worse and the UX for everyone else better.

Then, implement the stricter Content-Security-Policy.

This also removes extra confirm dialogs for downloading Harbormaster build logs and data exports.

Test Plan

Went through the plain data export, data export with bulk jobs, ssh key generation, calendar ICS download, Diffusion data, Paste data, Harbormaster log data, and normal file data download workflows with a CDN domain.
Went through all those workflows again without a CDN domain.
Grepped for affected symbols (getCDNURI(), getDownloadURI()).
Added an evil form to a page, tried to submit it, was rejected.
Went through the ReCaptcha and Stripe flows again to see if they're submitting any forms.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Mar 1 2018, 12:55 AM

Owners added a subscriber: Restricted Owners Package.Mar 1 2018, 12:55 AM

Harbormaster completed remote builds in B19698: Diff 45887.Mar 1 2018, 12:56 AM

epriestley requested review of this revision.Mar 1 2018, 12:56 AM

epriestley added a child revision: D19157: Stop using forms to download files in file embed and lightbox elements.Mar 1 2018, 1:19 AM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 1:20 AM

Closed by commit rPab579f251110: Never generate file download forms which point to the CDN domain, tighten "form… (authored by epriestley). · Explain Why

This revision was automatically updated to reflect the committed changes.

epriestley mentioned this in D19421: Restore support for using "arc download" to fetch files with no "security.alternate-file-domain".May 1 2018, 2:21 PM

epriestley mentioned this in rP332f4ab66d18: Restore support for using "arc download" to fetch files with no "security..May 1 2018, 5:08 PM

Revision Contents
Changeset List

Path

Size

resources/

celerity/

28 lines

src/

aphront/

response/

AphrontRedirectResponse.php

10 lines

AphrontResponse.php

7 lines

applications/

auth/

controller/

PhabricatorAuthSSHKeyGenerateController.php

30 lines

base/

controller/

PhabricatorController.php

1 line

diffusion/

controller/

DiffusionServeController.php

2 lines

files/

application/

PhabricatorFilesApplication.php

4 lines

controller/

PhabricatorFileDataController.php

39 lines

PhabricatorFileInfoController.php

3 lines

markup/

PhabricatorEmbedFileRemarkupRule.php

2 lines

storage/

PhabricatorFile.php

28 lines

harbormaster/

controller/

HarbormasterBuildLogDownloadController.php

14 lines

view/

HarbormasterBuildLogView.php

6 lines

search/

controller/

PhabricatorApplicationSearchController.php

18 lines

infrastructure/

export/

engine/

PhabricatorExportEngineBulkJobType.php

1 line

webroot/

rsrc/

externals/

javelin/

lib/

7 lines

Diff 45891

resources/celerity/map.php

Loading...

src/aphront/response/AphrontRedirectResponse.php

Loading...

src/aphront/response/AphrontResponse.php

Loading...

src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php

Loading...

src/applications/base/controller/PhabricatorController.php

Loading...

src/applications/diffusion/controller/DiffusionServeController.php

Loading...

src/applications/files/application/PhabricatorFilesApplication.php

Loading...

src/applications/files/controller/PhabricatorFileDataController.php

Loading...

src/applications/files/controller/PhabricatorFileInfoController.php

Loading...

src/applications/files/markup/PhabricatorEmbedFileRemarkupRule.php

Loading...

src/applications/files/storage/PhabricatorFile.php

Loading...

src/applications/harbormaster/controller/HarbormasterBuildLogDownloadController.php

Loading...

src/applications/harbormaster/view/HarbormasterBuildLogView.php

Loading...

src/applications/search/controller/PhabricatorApplicationSearchController.php

Loading...

src/infrastructure/export/engine/PhabricatorExportEngineBulkJobType.php

Loading...

webroot/rsrc/externals/javelin/lib/Workflow.js

Loading...