Content security policy

General plugins (Local) ::: local_csp
Maintained by Catalyst IT, Brendan Heywood
This plugin allows an admin to create a Custom Security Policy (CSP) in both reporting mode and enforcing mode. A simple use case is to detect and cleanup issues with non secure content after a migration from http to https, through to advanced policies to mitigate from XSS attacks.
Latest release:
530 sites
339 downloads
17 fans
Current versions available: 4
Download

This plugin allows you to configure a Custom Security Policy (CSP) which is sent via HTTP headers. CSP headers instruct browsers to make certain actions. For example, if a website is available by HTTPS, then a CSP policy of 'default https:;' will tell the browser to prohibit loading of any sources (scripts, css etc.) via HTTP.

Learn more about CSP here:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

There are many other CSP rules that browsers can understand and by using them administrators can flexibly tune their website if they wanted to get rid of mixed content or classes of cross-site scripting vulnerabilities. 

Any policy you wish to use can be safely tested first using 'Report only' mode, and this plugin has a built in CSP aggregator and reports all errors which are raised. You can have two different policies, one for testing and one for enforcing and gradually move each directive from 'report' to 'enforcing' after the various issues have been found and fixed.

Useful links

More documentation on this plugin
Website URL
Source control URL
Bug tracker

Screenshots

Screenshot #0
Screenshot #1

Contributors

Catalyst IT (Lead maintainer)
View other contributions
Brendan Heywood: Architect
View other contributions
Suan Kan
View other contributions
Please login to view contributors details and/or to contact them

Awards

Privacy friendly
Privacy friendly
Automated testing support
Automated testing support

Comments RSS

Show comments
  • Plugins bot
    Plugins bot
    Tue, 21 Feb 2017, 3:00 PM
    Approval issue created: CONTRIB-6759
  • Susan Mangan
    Susan Mangan
    Thu, 13 July 2017, 3:24 AM
    Hi, just installed this on our test system and seems great so far. Running Moodle version 3.2. I have 2 questions:

    1. The https://github.com/moodlerooms/moodle-tool_httpsreplace reported a far greater number of potentially problematic domains than the CSP violation report did. I guess I'd have to dig around in the code to find out what each is doing exactly to determine why but if anyone has an idea about this that would be very helpful!

    2. I generated a few pages of CSP violation reports, made some changes and reset all statistics. I think perhaps that was not the correct thing to do. Our system technically should be producing the same report it did initially but since I reset statistics I can't seem to find a way to make this happen. I've cleared caches and disabled and re-enabled the plug-in. I can't find anything in the documentation about this. Am I missing something? TIA!
  • Susan Mangan
    Susan Mangan
    Thu, 13 July 2017, 6:02 AM
    One more question.
    Does this plug-in work with IE-11?
    I can block content in Chrome and FFox so far but same content not blocked in IE-11.
    TIA!!
  • Susan Mangan
    Susan Mangan
    Thu, 13 July 2017, 6:09 AM
    Never mind... just viewed the browser compatibility at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP sad
  • Susan Mangan
    Susan Mangan
    Thu, 13 July 2017, 7:39 AM
    Oh ... I think I got it ... I need to apply specific policy for IE... I just used the default policies that were included in the plug-in. And I figured out my report issue - when I removed the custom css for the theme the report showed nothing, put it back, we get the violations again.
  • Will Lehman
    Will Lehman
    Mon, 28 Aug 2017, 10:23 AM
    Any plans to release this for Moodle 3.3?
  • Brendan Heywood
    Brendan Heywood
    Tue, 29 Aug 2017, 7:21 AM
    hi Will,

    Have you actually tested it in 3.3? I'd be surprised if it didn't work as-is in 3.3 but I haven't tested it myself. If there is any issues under 3.3 can you please raise them here https://github.com/catalyst/moodle-local_csp/issues

    thanks
  • Tony G
    Tony G
    Wed, 15 Apr 2020, 5:08 PM
    Hi,

    May I have the list of what CSP is supported in this plugin? Thank you.
  • Sketch...
    Luis de Vasconcelos
    Thu, 13 Oct 2022, 8:12 PM
    Is this plugin still supported in the currently supported versions of Moodle, as of October 2022, i.e. Moodle 3.9 and up?
    https://github.com/catalyst/moodle-local_csp/issues/77
  • Sketch...
    Luis de Vasconcelos
    Wed, 19 Oct 2022, 4:00 PM
    I tested the version from GitHub on my Moodle 3.9.17+ test server and it installed successfully, although the README.md file is a bit out of date.
    So, install the version from https://github.com/catalyst/moodle-local_csp. This https://moodle.org/plugins/local_csp page doesn't always have the latest version of the plugin.
  • Takeshi Matsuzaki
    Takeshi Matsuzaki
    Sat, 9 Mar 2024, 5:04 PM
    Thank you for the nice plugin.
    Let me have a question. I may mis-understand something.
    --
    I made this setting. It seems nice for testing cookies.
    "HttpOnly;Secure;SameSite=Strict"

    But it seems no effect for this value.
    Set-Cookie: MoodleSession
    The cookie is "secure; SameSite=None".
  • Robert Schrenk
    Robert Schrenk
    Wed, 13 Mar 2024, 11:16 PM
    The last change in Github is more than one year old. It would be nice if the current version from github (2022060300) could be published here, was the latest version in the Moodle plugins database is very old ... 2019100100 !!!
  • Takeshi Matsuzaki
    Takeshi Matsuzaki
    Mon, 1 Apr 2024, 10:41 AM
    Sorry!!! I was very confuses. Cookie is not relation with CSP. It's on httpd.conf.
    Close my post.
Please login to post comments