Skip to content

Commit

Permalink
Google Services wild card fragment updates
Browse files Browse the repository at this point in the history
Wildcard rules do not care what the protocol is, updated any rules to use `https`. Ideally since SilverStripe either uses TLS or SSL then we should force all URI/URLs to use `https` protocol. `upgrade-insecure-requests` should handle any that aren't covered but makes sense to be explicit.

Wildcards only match the left most domain label In the case of `*.example.com` only  `a.example.com` would be matched not `a.b.example.com`. Thus specifying the entire URL is required.

Additionally wildcards only match DNS labels they do not match schemes e.g. `www.example.com` is not matched on `*.example.com` thus full domain labels are required for the hostname as well as any required subdomain wildcard matching.

Also included in this change is a new configurable setting for whitelisting Google supported domains on the IMG-SRC directive.
As Google services like to use localised regional domains for endpoints rather than default URLs like `https://www.google.com` on IMG-SRC directives. This was alternative requirement than specifying all the domains as that made the header size too large.
  • Loading branch information
jareddreyerss committed Nov 10, 2021
1 parent d705f32 commit 88902ee
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 4 deletions.
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,16 @@ public function configure(): void
}
```

## Google Tag Manager / Adservices whitelist
Google uses localised regional domains for visitors for image tracker loading, which can pile up report violations with `google.com|.co.nz|.com.au` etc in your reporting tool.
To resolve this and rather than specifying all of Google's listed support domains (see https://www.google.com/supported_domains)
A white list config can be set to the GTM fragment to whitelist all `https:` URLs on the `img-src` directive, for example:
```yaml
Silverstripe\CSP\Fragments\GoogleTagManager:
whitelist_google_regional_domains: true
```
> See also ImagesOverHTTPs::class for more basic cover of https images.
## SRI
We also support SRI in this module, you can enable this via yaml:
```yaml
Expand Down
29 changes: 29 additions & 0 deletions src/Fragments/GoogleMaps.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php

namespace App\ContentSecurity\Fragments;

use Silverstripe\CSP\Directive;
use Silverstripe\CSP\Fragments\Fragment;
use Silverstripe\CSP\Policies\Policy;

/*
* Allows execution of Google Maps API related resources
* Nonce on the https://maps.google.com/maps/api/js URL is required before using this fragment.
*
* https://content-security-policy.com/examples/google-maps/
*/
class GoogleMaps implements Fragment
{
public static function addTo(Policy $policy): void
{
$policy
->addDirective(Directive::CONNECT, 'https://maps.googleapis.com')
->addDirective(Directive::IMG,
[
'https://maps.gstatic.com',
'https://*.googleapis.com',
'https://*.ggpht.com'
]
);
}
}
32 changes: 28 additions & 4 deletions src/Fragments/GoogleTagManager.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

namespace Silverstripe\CSP\Fragments;

use SilverStripe\Core\Config\Configurable;
use Silverstripe\CSP\Directive;
use Silverstripe\CSP\Keyword;
use Silverstripe\CSP\Policies\Policy;
Expand All @@ -12,6 +13,10 @@
*/
class GoogleTagManager implements Fragment
{
use Configurable;

private static bool $whitelist_google_regional_domains = false;

public static function addTo(Policy $policy): void
{
self::undocumented($policy);
Expand All @@ -25,14 +30,33 @@ public static function addTo(Policy $policy): void
}

/*
* These were ones not in the docs and had issues popping up
* CSP reported directive URIs that were not covered in the google docs
* and were continually over reporting CSP URI infringements.
*
* https://developers.google.com/web/fundamentals/security/csp#implementation_details
*/
public static function undocumented(Policy $policy): void
{
$policy
->addDirective(Directive::FRAME, '*.doubleclick.net')
->addDirective(Directive::CONNECT, '*.doubleclick.net')
->addDirective(Directive::IMG, '*.doubleclick.net');
->addDirective(Directive::FRAME,
[
'https://*.doubleclick.net',
'https://stats.g.doubleclick.net',
'http://bid.g.doubleclick.net',
]
)
->addDirective(Directive::CONNECT, [
'https://adservice.google.com',
'https://www.google.com',
'https://*.doubleclick.net',
]);

// Google uses localised regional endpoint domains for their services
// if seeing regional google domain report violations
// setting this config will whitelist all img-src to allow 'https:'.
if (self::config()->get('whitelist_google_regional_domains') === true) {
$policy->addDirective(Directive::IMG, Scheme::HTTPS);
}
}

/*
Expand Down

0 comments on commit 88902ee

Please sign in to comment.