Page MenuHomePhabricator

Never generate file download forms which point to the CDN domain, tighten "form-action" CSP
ClosedPublic

Authored by epriestley on Mar 1 2018, 12:55 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 9:34 AM
Unknown Object (File)
Sat, Nov 23, 12:48 AM
Unknown Object (File)
Fri, Nov 22, 8:03 PM
Unknown Object (File)
Thu, Nov 14, 4:47 AM
Unknown Object (File)
Thu, Nov 14, 4:46 AM
Unknown Object (File)
Thu, Nov 14, 4:04 AM
Unknown Object (File)
Thu, Nov 14, 1:21 AM
Unknown Object (File)
Thu, Nov 14, 12:47 AM
Subscribers
Restricted Owners Package

Details

Summary

Depends on D19155. Ref T13094. Ref T4340.

We can't currently implement a strict form-action 'self' content security policy because some file downloads rely on a <form /> which sometimes POSTs to the CDN domain.

Broadly, stop generating these forms. We just redirect instead, and show an interstitial confirm dialog if no CDN domain is configured. This makes the UX for installs with no CDN domain a little worse and the UX for everyone else better.

Then, implement the stricter Content-Security-Policy.

This also removes extra confirm dialogs for downloading Harbormaster build logs and data exports.

Test Plan
  • Went through the plain data export, data export with bulk jobs, ssh key generation, calendar ICS download, Diffusion data, Paste data, Harbormaster log data, and normal file data download workflows with a CDN domain.
  • Went through all those workflows again without a CDN domain.
  • Grepped for affected symbols (getCDNURI(), getDownloadURI()).
  • Added an evil form to a page, tried to submit it, was rejected.
  • Went through the ReCaptcha and Stripe flows again to see if they're submitting any forms.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable