Content Security Policy (CSP) and inline scripts

Content Security Policy (CSP) and inline scripts

Stephen Hooley發表於
Number of replies: 6

Hi

I’m attempting to secure my entire domain which includes a Moodle instance.

I’m attempting to set a Content Security Policy (CSP) at site level with a directive in the header in accordance with best practice recommendations. Ensure CSP is effective against XSS attacks

Header directive: Content-Security-Policy: script-src <source>;

Best practice is blocking all third-party scripts or white-listing specific domains but blocking all inline scripts is seen as being particularly safe.


“Note: Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. However, if you absolutely have to use it, there are a few mechanisms that will allow them.”

CSP: script-src - HTTP | MDN (mozilla.org)

Is there a way in Moodle to disable the use of inline Javascript or white-list scripts using a mechanism such as Nonce or Hash as described in the article above?

Thank you


評比平均分數: -
In reply to Stephen Hooley

Re: Content Security Policy (CSP) and inline scripts

Dan Marsden發表於
Core developers的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片 Plugins guardians的相片 Testers的相片 Translators的相片
the easiest way to manage csp in moodle is to our csp tool - it lets you turn it on in report mode before enabling a blocking policy so you can see what would stop working on your site before implementing the blocking policy:
https://moodle.org/plugins/local_csp

Obviously that won't help you with the whole domain, but hopefully the rest of your domain will be easier to set a policy that won't need to change much - in Moodle teachers can do all sorts of things/add all sorts of content that could intefere with a CSP policy, so being able to configure it in the Moodle admin UI is really useful.
評比平均分數:Useful (3)
In reply to Dan Marsden

Re: Content Security Policy (CSP) and inline scripts

Stephen Hooley發表於
Thanks Dan, I’ll have a look at the plug-in.

It would be nice to be able to set the CSP directive within the response header rather than using less safe meta tags. Does anyone know if there are any plans or roadmap to remove inline elements from Moodle or create a mechanism for the whitelisting of them in accordance with Mozilla's best practice recommendations?
評比平均分數: -
In reply to Stephen Hooley

Re: Content Security Policy (CSP) and inline scripts

Dan Marsden發表於
Core developers的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片 Plugins guardians的相片 Testers的相片 Translators的相片
well - our CSP plugin fulfills the 2nd part of that "create a mechanism for an allow-list"
As to the first part - you'd need to prevent teachers from being able to add the content - setting "force clean" under site admin -> security -> site policies) would be one step towards that, but it would likely break some stuff that some teachers will want to add. Obviously it won't remove anything that is added by 3rd party plugins either.
評比平均分數: -
In reply to Dan Marsden

Re: Content Security Policy (CSP) and inline scripts

Luis de Vasconcelos發表於
Particularly helpful Moodlers的相片
Dan, https://moodle.org/plugins/local_csp/versions says that the last version of that plugin is 2019100100. And the supported versions only seem to go up to Moodle 3.7.

The README.md file on https://github.com/catalyst/moodl also doesn't mention the current versions of Moodle as being supported. Last supported version seems to be Moodle 3.7.

Is this plugin still supported?
評比平均分數: -
In reply to Luis de Vasconcelos

Re: Content Security Policy (CSP) and inline scripts

Dan Marsden發表於
Core developers的相片 Particularly helpful Moodlers的相片 Peer reviewers的相片 Plugin developers的相片 Plugins guardians的相片 Testers的相片 Translators的相片
Yep, readme is wrong. We have this on a lot of sites including 4.0 and a 4.1 testing site.

We don't push all our plugins regularly to moodle.org plugins db as we use git internally to deploy our plugins.
評比平均分數:Useful (2)
In reply to Dan Marsden

Re: Content Security Policy (CSP) and inline scripts

Luis de Vasconcelos發表於
Particularly helpful Moodlers的相片
Thanks Dan. I got the $plugin->version = 2022060300; version from github and it installed successfully on my Moodle 3.9.17+ test server.
評比平均分數: -