General plugins (Local): Content security policy

local_csp
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Suan Kan Suan Kan, Picture of Brendan Heywood Brendan Heywood
This plugin allows an admin to create a Custom Security Policy (CSP) in both reporting mode and enforcing mode. A simple use case is to detect and cleanup issues with non secure content after a migration from http to https, through to advanced policies to mitigate from XSS attacks.
85 sites
22 downloads
4 fans

This plugin allows you to configure a Custom Security Policy (CSP) which is sent via HTTP headers. CSP headers instruct browsers to make certain actions. For example, if a website is available by HTTPS, then a CSP policy of 'default https:;' will tell the browser to prohibit loading of any sources (scripts, css etc.) via HTTP.

Learn more about CSP here:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

There are many other CSP rules that browsers can understand and by using them administrators can flexibly tune their website if they wanted to get rid of mixed content or classes of cross-site scripting vulnerabilities. 

Any policy you wish to use can be safely tested first using 'Report only' mode, and this plugin has a built in CSP aggregator and reports all errors which are raised. You can have two different policies, one for testing and one for enforcing and gradually move each directive from 'report' to 'enforcing' after the various issues have been found and fixed.

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Plugins bot
    Tue, 21 Feb 2017, 3:00 PM
    Approval issue created: CONTRIB-6759
  • Picture of Susan Mangan
    Thu, 13 Jul 2017, 3:24 AM
    Hi, just installed this on our test system and seems great so far. Running Moodle version 3.2. I have 2 questions:

    1. The https://github.com/moodlerooms/moodle-tool_httpsreplace reported a far greater number of potentially problematic domains than the CSP violation report did. I guess I'd have to dig around in the code to find out what each is doing exactly to determine why but if anyone has an idea about this that would be very helpful!

    2. I generated a few pages of CSP violation reports, made some changes and reset all statistics. I think perhaps that was not the correct thing to do. Our system technically should be producing the same report it did initially but since I reset statistics I can't seem to find a way to make this happen. I've cleared caches and disabled and re-enabled the plug-in. I can't find anything in the documentation about this. Am I missing something? TIA!
  • Picture of Susan Mangan
    Thu, 13 Jul 2017, 6:02 AM
    One more question.
    Does this plug-in work with IE-11?
    I can block content in Chrome and FFox so far but same content not blocked in IE-11.
    TIA!!
  • Picture of Susan Mangan
    Thu, 13 Jul 2017, 6:09 AM
    Never mind... just viewed the browser compatibility at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP sad
  • Picture of Susan Mangan
    Thu, 13 Jul 2017, 7:39 AM
    Oh ... I think I got it ... I need to apply specific policy for IE... I just used the default policies that were included in the plug-in. And I figured out my report issue - when I removed the custom css for the theme the report showed nothing, put it back, we get the violations again.
  • Picture of Will Lehman
    Mon, 28 Aug 2017, 10:23 AM
    Any plans to release this for Moodle 3.3?
  • Picture of Brendan Heywood
    Tue, 29 Aug 2017, 7:21 AM
    hi Will,

    Have you actually tested it in 3.3? I'd be surprised if it didn't work as-is in 3.3 but I haven't tested it myself. If there is any issues under 3.3 can you please raise them here https://github.com/catalyst/moodle-local_csp/issues

    thanks
Please login to post comments