Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added additional CSP contents to enable videojs and ipcamera binding #698

Merged
merged 2 commits into from
Dec 27, 2020
Merged

Added additional CSP contents to enable videojs and ipcamera binding #698

merged 2 commits into from
Dec 27, 2020

Conversation

digitaldan
Copy link
Contributor

@digitaldan digitaldan commented Dec 24, 2020
edited
Loading

Signed-off-by: Dan Cunningham dan@digitaldan.com

i was not able to load m3u8/ts content from our ipcamera binding with the new video widget as the CSP policy was blocking the media being loaded as well as blocking a web worker from doing something (might be in the videojs library?) .

The camera binding runs the HLS stream for cameras on different ports, so camera 1 might have a http dash stream on 10001, camera2 on 10002, and so on , which the browser will treat as different domains i believe. I'm no expert on CSP policy so i don't know if the exceptions in this PR create a meaningful security hole.

I personally would rather have a bit more relaxed CSP policy to load external content since the UI is not normally exposed unauthenticated (by firewall, the cloud service, etc..)

@digitaldan
Adds additional CSP contents to enable videojs and our ipcamera binding
f6ef931 
Signed-off-by: Dan Cunningham <dan@digitaldan.com>
@digitaldan digitaldan requested a review from a team as a code owner December 24, 2020 18:12
@ghys
Copy link
Member

ghys commented Dec 25, 2020

Thanks for the investigation!
What I don't understand is that according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src the allowed sources are used for directives that aren't specified explicitly, including media-src and worker-src, so this shouldn't be necessary in theory as the default-src is already pretty lax... I have been able to use videos on random websites in the video widget and never got CSP issues.

@digitaldan
Copy link
Contributor Author

Here is my setup and the exact error i get without the additional csp content

 - component: oh-video-card
          config:
            type: application/x-mpegurl
            title: Front Drive
            item: CameraFrontDrivewayHLS

the item CameraFrontDrivewayHLS is set to: http://192.168.100.15:11002/ipcamera.m3u8

when the page loads i get these in the log, and the video never loads:

Refused to create a worker from 'blob:http://oh:8080/55741f13-85e1-4327-8674-93e844e6efbc' because it violates the following Content Security Policy directive: "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load media from 'blob:<URL>' because it violates the following Content Security Policy directive: "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

VIDEOJS: ERROR: (CODE:4 MEDIA_ERR_SRC_NOT_SUPPORTED) The media could not be loaded, either because the server or network failed or because the format is not supported. zi {code: 4, message: "The media could not be loaded, either because the …rk failed or because the format is not supported."}

after adding the additional CSP tags, the content loads as expected.

Thanks!

@ghys
Copy link
Member

ghys commented Dec 26, 2020

Interesting, must be a video.js implementation technique to use blob: urls sometimes but not always. So maybe simply adding blob: to the default-src part would be enough?

ghys
ghys reviewed Dec 26, 2020
View reviewed changes
bundles/org.openhab.ui/web/src/index.html Outdated
@@ -11,7 +11,7 @@
* Disables use of inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
* Enable inline JS: add 'unsafe-inline' to default-src
-->
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:">
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:; media-src * blob:; worker-src * blob:">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this work?

Suggested change
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:; media-src * blob:; worker-src * blob:">
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content: blob:">

Perhaps allowing blob: could also be valuable for images and so on so no harm in allowing them by default.
At some point I'll probably look after having a same-origin policy for scripts and CSS to mitigate importing malicious external libraries, maybe disable unsafe-eval too if it's not required.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that works! I updated the PR with your change.

@digitaldan
Updated based on PR feedback
98247b6 
Signed-off-by: Dan Cunningham <dan@digitaldan.com>
ghys
ghys approved these changes Dec 27, 2020
View reviewed changes
Copy link
Member

@ghys ghys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ghys ghys merged commit 292f834 into openhab:master Dec 27, 2020
crnjan added a commit to crnjan/openhab-webui that referenced this pull request Jan 6, 2021
@crnjan
Merge branch 'master' into fetaure/support_webos5_buildin_browser
91597d0 
* master:
  Take all door subclasses in door location glance badge (openhab#727)
  [habpanel] Remove ItemStateEvent detection (openhab#737)
  Update license headers to 2021 (openhab#739)
  Fix openhab#714 - Sort popup dialogs by name and jump to selected item on open (openhab#724)
  Fix openhab#538 - Do not concatenate search for items (openhab#726)
  Fix openhab#722 - Show current GA metadata when editing (openhab#723)
  Fix openhab#720 - Fix various problems with google assistant metadata UI (openhab#721)
  Fix openhab#684 - Allow diacritics in search bars (openhab#718)
  CSP: allow blob: URLs (openhab#698)
  Apply Spotless (openhab#680)
  [unleash-maven-plugin] Preparation for next development cycle.
@ghys ghys added the bug Something isn't working label Jan 11, 2021
@ghys ghys added this to the 3.1 milestone Jan 11, 2021
ghys pushed a commit to ghys/openhab-webui that referenced this pull request Jan 11, 2021
@digitaldan @ghys
CSP: allow blob: URLs (openhab#698)
c326c54 
Needed in the somes for video streams in the video card. 

Signed-off-by: Dan Cunningham <dan@digitaldan.com>
@ghys ghys added patch A PR that has been cherry-picked to a patch release branch main ui Main UI labels Jan 11, 2021
@kaikreuzer kaikreuzer changed the title [WIP]Adds additional CSP contents to enable videojs and our ipcamera binding Added additional CSP contents to enable videojs and our ipcamera binding Jan 16, 2021
@kaikreuzer kaikreuzer changed the title Added additional CSP contents to enable videojs and our ipcamera binding Added additional CSP contents to enable videojs and ipcamera binding Jan 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghys ghys ghys approved these changes

Assignees
No one assigned
Labels
bug Something isn't working main ui Main UI patch A PR that has been cherry-picked to a patch release branch
Projects
None yet
Milestone
3.1
Development

Successfully merging this pull request may close these issues.
2 participants
@digitaldan @ghys