Need a more restrictive Content Security Policy

ppinto · May 15, 2025, 6:29pm

I’m getting heat from a client, complaining that my application’s CSP is too permissive.
I don’t use custom view tags like maps or youtube, but I do use Google Authenticator for 2FA.

I know I can change the CSP adding code like this to the global code:

Config()->append("CSP.[directive]", "[value]");

But I can’t find information on what is required by which feature.
So, how can the CSP be more restrictive? What is the minimum required for Google Authenticator, for instance? Can some of those wildcards be removed? Can some of those ‘unsafe’ settings be disabled?

Right now, Config(“CSP”) in config.php is:

    "CSP" => [
        "font-src" => [
            "self" => true,
            "data" => true,
            "allow" => [
                "https://fonts.gstatic.com",
            ],
        ],
        "form-action" => [
            "self" => true,
        ],
        "object-src" => [
            "self" => true,
        ],
        "frame-ancestors" => [
            "self" => true,
        ],
        "frame-src" => [
            "self" => true,
            "allow" => [
                "*.google.com",
                "*.youtube.com",
            ],
        ],
        "script-src" => [
            "self" => true,
            "unsafe-inline" => true,
            "unsafe-eval" => true,
            "blob" => true,
            "allow" => [
                "https://www.google-analytics.com",
                "https://*.googleapis.com",
                "https://*.gstatic.com",
                "*.google.com",
                "https://*.ggpht.com",
                "*.googleusercontent.com",
                "https://js.pusher.com",
                "https://cdn.tiny.cloud",
                "https://*.youtube.com",
            ],
        ],
        "connect-src" => [
            "self" => true,
            "blob" => true,
            "data" => true,
            "allow" => [
                "https://*.googleapis.com",
                "https://*.gstatic.com",
                "*.google.com",
            ],
        ],
        "style-src" => [
            "self" => true,
            "unsafe-inline" => true,
            "allow" => [
                "https://*.gstatic.com",
                "https://*.googleapis.com",
            ],
        ],
        "style-src-attr" => [
            "unsafe-inline" => true,
        ],
        "img-src" => [
            "self" => true,
            "blob" => true,
            "data" => true,
            "allow" => [
                "https://*.googleapis.com",
                "https://*.gstatic.com",
                "https://*.openstreetmap.org",
                "https://api.mapbox.com",
                "*.google.com",
                "*.googleusercontent.com",
            ],
        ],
        "worker-src" => [
            "self" => true,
            "blob" => true,
        ],
    ]

Hoping someone can shed some light on this. Thanks!

arbei · May 16, 2025, 2:40am

You may refer to the docs of CSPBuilder.

ppinto · May 18, 2025, 9:17pm

I altered the CSP setings. Basically, emptied all the “allow” arrays and everything seems to still work:

    "CSP" => [
        "font-src" => [
            "self" => true,
            "data" => true,
            "allow" => [
            ],
        ],
        "form-action" => [
            "self" => true,
        ],
        "object-src" => [
            "self" => true,
        ],
        "frame-ancestors" => [
            "self" => true,
        ],
        "frame-src" => [
            "self" => true,
            "allow" => [
            ],
        ],
        "script-src" => [
            "self" => true,
            "unsafe-inline" => true,
            "unsafe-eval" => true,
            "blob" => true,
            "allow" => [
            ],
        ],
        "connect-src" => [
            "self" => true,
            "blob" => true,
            "data" => true,
            "allow" => [
            ],
        ],
        "style-src" => [
            "self" => true,
            "unsafe-inline" => true,
            "allow" => [
            ],
        ],
        "style-src-attr" => [
            "unsafe-inline" => true,
        ],
        "img-src" => [
            "self" => true,
            "blob" => true,
            "data" => true,
            "allow" => [
            ],
        ],
        "worker-src" => [
            "self" => true,
            "blob" => true,
        ],
    ]

So, what do all those allowed sites actually do?

arbei · May 19, 2025, 12:25am

The URLs in the “allow” array is a list of URL or IP address of a host that is a valid source for the resource, read <host-source>.

ppinto · May 19, 2025, 12:59am

Thanks for the explanation, but my question is more about why are those sites in PHP Maker’s CSP. I tried removing them from the “allow” arrays and everything seems to work. Am I missing something?
The question, really, is that the CSP settings in PHP Maker should come at least with comments explaining what features require them. Right now, users have no option other than disabling things blindly and testing the effect, which is less than ideal, as it’s easy to miss something.

Related question: the page you shared says this:

Warning: Developers should avoid 'unsafe-eval', because it defeats much of the purpose of having a CSP.

A similar warning exists for “unsafe-inline”.
Unfortunately, when I tried disabling those, I got a bunch of errors and it broke 2FA. Also tried enabling nonce (strict CSP), but no success. As the warning says, there’s no point in adding CSP functionality to PHP Maker if it only works with “unsafe-eval” and “unsafe-inline” enabled.
How can one disable those and keep the most functionality? These are must-haves for what features? Thanks.

marcob · May 19, 2025, 1:55pm

Its not a problem about “PHP Maker” requirements, but it depends on library requirements. If library requires nonce and you cant set it up, then you have to activate unsafe-eval. Enabling nonce its not so simple, because nonce must change everytime.