[Libwebsockets] Content Security Policy
andy at warmcat.com
Wed Sep 12 07:45:18 CEST 2018
There are a few new technologies that are in lws now because of the
- Threadpool I wrote about before, that has become stable and is
- Improved HTTP[S] proxying, including so-called "reverse proxying" of
other processes into the lws URL space using unix domain sockets.
libwebsockets.org and warmcat.com are using gitohashi in that mode; it's
a separate process providing access to different gitohashi vhosts
(programmed using the lws config JSON) via different unix sockets. Each
vhost serves from its own threadpool.
- Content Security Policy
Basically if you use any gitweb type interface to serve repos that are
not under your control, there's a possibility of XSS (script injection).
Gitohashi sanitizes input from the repo and takes effective steps to
mitigate rendering scripts in markdown or highlighting, see
and the "XSS mitigation" section here
So there is quite a strong "belt" in place that makes it very hard to
fool us into rendering something malicious. Content Security Policy is
the additional "braces" to defeat anything that slips through. It's
basically a sort of selinux for your web page, with the policy set by a
header and enforced by the browser. If the CSP says that inline scripts
are banned, it doesn't matter is xss injects a perfectly formed script.
It's not going to get executed by the browser. Of course, banning
inline scripts means you can't use them in your page either, so you have
to rearrange some things.
Both libwebsockets.org and warmcat.com now serve with a
super-restrictive CSP, that has meant modifications to the test server
and server status html + scripts on master. I really recommend everyone
using lws learn about CSP and follow the most restrictive version for
their own implementation. It's not that hard, and the additional work
also makes the html and css and js more maintainable.
There's a writeup of what that means here:
Mozilla have a tool for assessing site hardness against xss and other
malicious trickery here
You can see the result for warmcat.com (of course, serving using lwsws)
is A+ (120 out of 100 :-o )
More information about the Libwebsockets