Refine Content Security Policies #442
Comments
ggrossetie
added
✨ enhancement
💬 discussion
Reading the documentation again, it seems that we can only allow a domain so: |
|
Thanks for continuing to look into this @Mogztter 👏
Correct.
I think you have precisely understood the issue -- whitelisting an entire CDN which is the only option (without using integrity hashes) is antithetical to the security principle of least privilege. CDNs themselves are at best controversial from a security point of view: https://httptoolkit.tech/blog/public-cdn-risks/ My preference is to continue to go down the path we are going down. If we're going to whitelist by CDN we could give everyone a really good user experience and no security by eliminating the option. OK, it's not quite that bad but I doubt it would pass a security assessment. Users should be able to open random Asciidoc files with pass-throughs and other problems from untrusted websites without this being an attack vector IMHO. Another point of view is to note that recently there were changes in VS Code (perhaps because of problems) where you had to express some trust in your local folders that you are using. If that's true then access to remote resources should be at least as well controlled.
Mmmm... I agree about the confused bit 😕. We have quite a few open issues related to this 😖. I think there are not so many places where we need this improvement and perhaps it is limited to:
I think if all those worked "out of the box" and you had reduced security levels otherwise that would be OK for 90% of users. (I note that you've been discussing this here: asciidoctor/asciidoctor#3728). Now perhaps we have (at least) one option too many in our security settings -- 4 is a lot, especially for users who may not understand the insides of Asciidoctor / VSCode / web security etc.
I think we could integrate the workspace trust settings into the security settings. This has already been proposed for Markdown: I think then our options should be renamed and there should be only two:
With only "Disable Security" and "Safe" I think the user options are clearer. And while I'm thinking about this if we're going to address the security settings, then a change in security settings really should force a re-render as that increases the confusion for everyone (probably that should be a new issue).
Previously it has been proposed to remove the Asciidoctor CLI option. I think it requires too much effort to continue to maintain parity between command-line / Ruby / some executable and Asciidoctor.js and I don't think we should try. We should just document, "You can use Ruby but there are some limitations, please don't file issues" (so for instance Kroki and scroll sync don't work now). |
|
Incidentally the security model that VS Code is working with has this as an architectural approach:
(see here) While we're thinking about CSPs, there is also a CORS issue with the extension at the moment for loading the fonts specified in the Asciidoctor stylesheet. Maybe that is related or maybe it should be a separate issue.
It may be related to: microsoft/vscode#102959 It appears as though fonts might have to be manually loaded using a proxy server (perhaps this is relevant). What these all have in common is that Asciidoctor may need to provide additional capabilities to either download and embed resources or otherwise specify that they are whitelisted. |
Is there an existing issue? I can't find it.
Another way to look at it is to use an offline-first approach where we rely on a local copy of Highlight.js, Font Awesome and MathJax. Asciidoctor (core) relies on CDN because we don't want to include third party libraries into the core but an extension can. This approach has two main benefit. First, the preview will work without Internet access (which is quite nice). And second, it will solve most (if not all) our security concerns/issues with CSP. The preview might also be a bit faster since we won't rely on the network anymore.
I agree, we have too many options.
Unfortunately, I think many companies are using http behind firewalls. Having said that, allowing
We might need a third option where users will be able to configure the CSP they want to apply. Or at least a way to allow them to whitelist domains. That way, if they are using a service (behind firewalls) over http then they can allow it without disabling CSP completely.
👍🏻
It seems that the stylesheet is loaded from a domain |
|
It seems like we have landed on making standard Asciidoctor preview resources available offline (fonts, admonitions, mathjax, highlight) as the way forward. I'm good with that. We would probably have it as a user preference and default it to on? I guess this would require some templating or extensions and can probably be facilitated by a good set of npm modules. For the security options, we could include a whitelist in the "Safe" security option as a user preference so we only had two options. If someone needed or wanted to use online resources they could whitelist a CDN or specify the domain for local resources as an explicit user choice. WDYT? |
|
Fixed in #547 |
The current CSP used in the WebView are actually controller by the extension.
I believe that we inherited from the Markdown extension:
https://github.com/microsoft/vscode/blob/c77dbe95658ae11ec6f58a75a945827eb8c47692/extensions/markdown-language-features/src/features/previewContentProvider.ts#L209-L229
While CSP are useful, I think we should refine the policies to align with all the built-in features that Asciidoctor provides.
For instance, if we are using SRI on scripts loaded from https://cdnjs.cloudflare.com/ then it's safe to use:
For extra safety, we could do:
Currently, the user experience is not great and users are (mostly) confused by CSP. I think we could use relaxed policies by default until we can enforce better policies.
The text was updated successfully, but these errors were encountered: