Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libregraphicsmeeting.org gets an F rating and 0/100 score at the Mozilla Observatory HTTPS evaluation #46

Open
schumaml opened this issue Apr 23, 2018 · 17 comments
Open

libregraphicsmeeting.org gets an F rating and 0/100 score at the Mozilla Observatory HTTPS evaluation #46

schumaml opened this issue Apr 23, 2018 · 17 comments

Comments

@schumaml
Copy link

See https://observatory.mozilla.org/analyze/www.libregraphicsmeeting.org

Also, when forcing HTTPS, browsers warn about mixed content (likely images and/or scripts, I didn't check any details).

Defaulting to HTTPS and having no mixed content warnings could be a reasonable first goal for the libregraphics website, going further can be done step by step is necessary.

Feel free to ask if you have any questions, we did this for gimp.org and have likely hit any pitfalls for this process along the way :)
@ms-studio
Copy link
Member

The website already has a valid certificate, as seen when visiting a static resource: https://libregraphicsmeeting.org/2018/wp/wp-content/themes/lgm2018/img/logo-lgm--web.svg

So the only thing to do is: a person with admin access to the current site must log into the WordPress admin interface, and change the site URL from http://libregraphicsmeeting.org to https://libregraphicsmeeting.org

@aoloe
Copy link
Contributor

aoloe commented Apr 23, 2018

thanks @ms-studio !

i've done the change you suggested and also forced the https redirection in the .htaccess.

@schumaml it's all good now or should i make other changes? the mozilla reports other "issues"... is there any you want to see fixed?

@ms-studio
Copy link
Member

@aoloe there are two ressources still loading as http:// : it's two image links inside the footer widgets. this should be changed directly in the code:

<aside class="widget-area" role="complementary">
--
  | <div class="widget-column footer-widget-1">
  | <section id="text-2" class="widget widget_text"><h2 class="widget-title">Sponsors</h2>			<div class="textwidget"><p><img src="http://libregraphicsmeeting.org/2018/wp/wp-content/uploads/2018/03/logo-google-fonts.png" width="200" height="37" /></p>
  | </div>
  | </section>			</div>
  | <div class="widget-column footer-widget-2">
  | <section id="text-5" class="widget widget_text"><h2 class="widget-title">Co-organized by</h2>			<div class="textwidget"><p><img class="alignnone size-medium wp-image-348" src="http://libregraphicsmeeting.org/2018/wp/wp-content/uploads/2018/03/logo_compoliticas_completo-300x71.jpeg" alt="" width="300" height="71" /></p>

@aoloe
Copy link
Contributor

aoloe commented Apr 23, 2018

let's see if i can find where they are defined...

@aoloe
Copy link
Contributor

aoloe commented Apr 23, 2018

ok, it was in a widget...

fixed...

anything else? : - )

@schumaml
Copy link
Author

Nice to see this being addresses so fast :)

Let's take one step at a time, as fulfilling some of the checks can get quite involved if a CMS is being used.

@schumaml
Copy link
Author

So one redirection has to be fixed:

http://www.libregraphicsmeeting.org currently redirects to https://libregraphicsmeeting.org

It should be

http://www.libregraphicsmeeting.org -> https://www.libregraphicsmeeting.org -> https://libregraphicsmeeting.org

to not interfere with HSTS later.

@schumaml
Copy link
Author

The threee last checks - the X-* stuff - should also be rather easy to add, as it is only additional HTTP headers which prevent content type guessing by browsers, framing of libregraphicsmeeting.org by other sites, and some cross-site scripting attacks.

@schumaml
Copy link
Author

The Content Security Policy check will be the hardest, as deploying useful strict CSPs will kill inline javascript and inline css (i.e. style tags), and should be the last steps if it is attempted at all.

@aoloe
Copy link
Contributor

aoloe commented Apr 23, 2018

i've now edited the .htaccess as following:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteRule ^$ /2018 [R=302,L]

is it better now?

@aoloe
Copy link
Contributor

aoloe commented Apr 23, 2018

i've added:

    $headers['strict-transport-security'] = 'max-age=31536000; includeSubDomains';
    $headers['Content-Security-Policy'] = 'default-src https:; script-src \'self\' \'unsafe-inline\'';
    $headers['X-Frame-Options'] = 'SAMEORIGIN';
    $headers['X-XSS-Protection'] = '1; mode=block';
    $headers['X-Content-Type-Options'] = 'X-Content-Type-Options: nosniff';
    $headers['Referrer-Policy'] = 'strict-origin';

but now i get a few errors in the console. any hint how to get rid of them?

@schumaml
Copy link
Author

With a CSP in place, you have to pay attention to the following:

  • all javascript should be in .js files, nothing in <script> elements in an html document
  • all style rules should be in .css files, nothing in <style> elements inside html documents

Not sure how easy or hard this is with Wordpress and its modules, whose authors might not have designed them with these consideration in mind (NB: I do no next to nothing about Wordpress, though).

@schumaml
Copy link
Author

BTW, for the

X-Content-Type-Options

the value is supposed to just be just "nosniff"

And congrats - from F to B in no time at all :)

@aoloe
Copy link
Contributor

aoloe commented Apr 25, 2018

i've fixed the nosniff... but what i've noticed: we've lost the map on https://libregraphicsmeeting.org/2018/2018-edition/

now, i've disabled

$headers['Content-Security-Policy'] = 'default-src https:; script-src \'self\' \'unsafe-inline\'';

no idea how to write in a way that it's generally safe and allows us to load the osm map at the end of

https://libregraphicsmeeting.org/2018/2018-edition/

for now, it's more important to have the map shown.

@schumaml
Copy link
Author

Yes, the CSP can be quite involved - we broke stuff on gimp.org in quite interesting ways, some going unnoticed for quite some time, like inline styles in SVG files getting killed (Inkscape should really allow for fully external styling [or does it now?])

CSPs force you to evaluate where your resources come from and how they are loaded, and possibly change this - definitely not something that should be done one day before the conference starts :)

@patdavid
Copy link

patdavid commented Apr 25, 2018 via email

@aoloe
Copy link
Contributor

aoloe commented Apr 26, 2018

hi @patdavid you should be able to do it, by setting up a local wordpress and use the theme in

https://github.com/libregraphicsmeeting/htdocs-2018

the repository's README file summarizes most steps involved.

i can give you push rights to the repository and the changes are automatically deployed to the site.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ms-studio @aoloe @patdavid @schumaml