[Libwebsockets] Content Security Policy

Andy Green andy at warmcat.com
Wed Sep 12 07:45:18 CEST 2018


Hi -

There are a few new technologies that are in lws now because of the 
gitohashi work.

  - Threadpool I wrote about before, that has become stable and is 
working well.

  - Improved HTTP[S] proxying, including so-called "reverse proxying" of 
other processes into the lws URL space using unix domain sockets. 
libwebsockets.org and warmcat.com are using gitohashi in that mode; it's 
a separate process providing access to different gitohashi vhosts 
(programmed using the lws config JSON) via different unix sockets.  Each 
vhost serves from its own threadpool.

  - Content Security Policy

Basically if you use any gitweb type interface to serve repos that are 
not under your control, there's a possibility of XSS (script injection).

Gitohashi sanitizes input from the repo and takes effective steps to 
mitigate rendering scripts in markdown or highlighting, see

https://warmcat.com/git/gitohashi/tree/xss

and the "XSS mitigation" section here

https://warmcat.com/git/gitohashi/tree

So there is quite a strong "belt" in place that makes it very hard to 
fool us into rendering something malicious.  Content Security Policy is 
the additional "braces" to defeat anything that slips through.  It's 
basically a sort of selinux for your web page, with the policy set by a 
header and enforced by the browser.  If the CSP says that inline scripts 
are banned, it doesn't matter is xss injects a perfectly formed script. 
It's not going to get executed by the browser.  Of course, banning 
inline scripts means you can't use them in your page either, so you have 
to rearrange some things.

Both libwebsockets.org and warmcat.com now serve with a 
super-restrictive CSP, that has meant modifications to the test server 
and server status html + scripts on master.  I really recommend everyone 
using lws learn about CSP and follow the most restrictive version for 
their own implementation.  It's not that hard, and the additional work 
also makes the html and css and js more maintainable.

There's a writeup of what that means here:

https://libwebsockets.org/git/libwebsockets/tree/READMEs/README.content-security-policy.md

Mozilla have a tool for assessing site hardness against xss and other 
malicious trickery here

https://observatory.mozilla.org/

You can see the result for warmcat.com (of course, serving using lwsws) 
is A+ (120 out of 100 :-o )

https://observatory.mozilla.org/analyze/warmcat.com

-Andy


More information about the Libwebsockets mailing list