Paths

Table of Contentst

Differential D19156

Never generate file download forms which point to the CDN domain, tighten "form-action" CSP
ClosedPublic
Actions

Authored by epriestley on Mar 1 2018, 12:55 AM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Nov 14, 4:47 AM

	Unknown Object (File)
	Thu, Nov 14, 4:46 AM

	Unknown Object (File)
	Thu, Nov 14, 4:04 AM

	Unknown Object (File)
	Thu, Nov 14, 1:21 AM

	Unknown Object (File)
	Thu, Nov 14, 12:47 AM

	Unknown Object (File)
	Tue, Nov 12, 10:36 PM

	Unknown Object (File)
	Mon, Nov 11, 5:44 AM

	Unknown Object (File)
	Sat, Nov 9, 3:01 PM

Subscribers

Restricted Owners Package

Details

Reviewers: None
Maniphest Tasks: T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
T13094: Improve file behaviors around POST requests and downloads
Commits: rPab579f251110: Never generate file download forms which point to the CDN domain, tighten "form…

Summary

Depends on D19155. Ref T13094. Ref T4340.

We can't currently implement a strict form-action 'self' content security policy because some file downloads rely on a <form /> which sometimes POSTs to the CDN domain.

Broadly, stop generating these forms. We just redirect instead, and show an interstitial confirm dialog if no CDN domain is configured. This makes the UX for installs with no CDN domain a little worse and the UX for everyone else better.

Then, implement the stricter Content-Security-Policy.

This also removes extra confirm dialogs for downloading Harbormaster build logs and data exports.

Test Plan

Went through the plain data export, data export with bulk jobs, ssh key generation, calendar ICS download, Diffusion data, Paste data, Harbormaster log data, and normal file data download workflows with a CDN domain.
Went through all those workflows again without a CDN domain.
Grepped for affected symbols (getCDNURI(), getDownloadURI()).
Added an evil form to a page, tried to submit it, was rejected.
Went through the ReCaptcha and Stripe flows again to see if they're submitting any forms.

Diff Detail

Repository

Branch

csp4

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 19698
Build 26678: Run Core Tests
Build 26677: arc lint + arc unit

Event Timeline

epriestley created this revision.Mar 1 2018, 12:55 AM

Owners added a subscriber: Restricted Owners Package.Mar 1 2018, 12:55 AM

Harbormaster completed remote builds in B19698: Diff 45887.Mar 1 2018, 12:56 AM

epriestley requested review of this revision.Mar 1 2018, 12:56 AM

epriestley added a child revision: D19157: Stop using forms to download files in file embed and lightbox elements.Mar 1 2018, 1:19 AM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 1:20 AM

Closed by commit rPab579f251110: Never generate file download forms which point to the CDN domain, tighten "form… (authored by epriestley). · Explain Why

This revision was automatically updated to reflect the committed changes.

epriestley mentioned this in D19421: Restore support for using "arc download" to fetch files with no "security.alternate-file-domain".May 1 2018, 2:21 PM

epriestley mentioned this in rP332f4ab66d18: Restore support for using "arc download" to fetch files with no "security..May 1 2018, 5:08 PM

Revision Contents
Changeset List

Path

Size

resources/

celerity/

28 lines

src/

aphront/

response/

AphrontRedirectResponse.php

10 lines

AphrontResponse.php

7 lines

applications/

auth/

controller/

PhabricatorAuthSSHKeyGenerateController.php

30 lines

base/

controller/

PhabricatorController.php

1 line

diffusion/

controller/

DiffusionServeController.php

2 lines

files/

application/

PhabricatorFilesApplication.php

4 lines

controller/

PhabricatorFileDataController.php

39 lines

PhabricatorFileInfoController.php

3 lines

markup/

PhabricatorEmbedFileRemarkupRule.php

2 lines

storage/

PhabricatorFile.php

28 lines

harbormaster/

controller/

HarbormasterBuildLogDownloadController.php

14 lines

view/

HarbormasterBuildLogView.php

6 lines

search/

controller/

PhabricatorApplicationSearchController.php

18 lines

infrastructure/

export/

engine/

PhabricatorExportEngineBulkJobType.php

1 line

webroot/

rsrc/

externals/

javelin/

lib/

7 lines

Diff 45887

resources/celerity/map.php

Loading...

src/aphront/response/AphrontRedirectResponse.php

Loading...

src/aphront/response/AphrontResponse.php

Loading...

src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php

Loading...

src/applications/base/controller/PhabricatorController.php

Loading...

src/applications/diffusion/controller/DiffusionServeController.php

Loading...

src/applications/files/application/PhabricatorFilesApplication.php

Loading...

src/applications/files/controller/PhabricatorFileDataController.php

Loading...

src/applications/files/controller/PhabricatorFileInfoController.php

Loading...

src/applications/files/markup/PhabricatorEmbedFileRemarkupRule.php

Loading...

src/applications/files/storage/PhabricatorFile.php

Loading...

src/applications/harbormaster/controller/HarbormasterBuildLogDownloadController.php

Loading...

src/applications/harbormaster/view/HarbormasterBuildLogView.php

Loading...

src/applications/search/controller/PhabricatorApplicationSearchController.php

Loading...

src/infrastructure/export/engine/PhabricatorExportEngineBulkJobType.php

Loading...

webroot/rsrc/externals/javelin/lib/Workflow.js

Loading...