[HttpKernel] [FrameworkBundle] Introduce Rails-like default response headers to control browser-side security features #8515
Conversation
…assign necessary-everywhere headers
…with X-Content-Type-Options support by default)
|
Additional informations: I strongly think we should add I know good (bad?) example about such a vulnerability, the CVE-2013-1297, is NOT fixed in IE9 and IE10. (In IE6, IE7 and IE8, this vuln has been fixed by MS13-037) The reporter, Yousuke Hasegawa, says "In Internet Explorer 9 and 10, attacker can read remote JSON array yet." in his blog entry (sadly there are no English informations). This attack is that the vulnerable IE reads remote JSON content as VBScript by using And according to Hasegawa, "About IE9 and IE10 needs X-Content-Type-Options to avoid this problem, Microsoft says this behavior is based on its specification." I think CVE-2013-1297 itself is not really big problem, in my opinion, a truly big problem is Microsoft looks like standing "the response with a valid Content-Type, as a matter of course, it must send X-Content-Type-Options too"... If so, bad, this is bad, but this problem is really exist, so adding Nonetheless, for the good web frameworks or applications like symfony, there is no reason for relying MIME-type sniffing because they always send a valid Content-Type. |
|
@Seldaek you probably have some comments on this. |
| @@ -42,6 +45,9 @@ public function onKernelResponse(FilterResponseEvent $event) | |||
| } | |||
|
|
|||
| $response = $event->getResponse(); | |||
| foreach ($this->defaultHeaders as $key => $value) { | |||
| $response->headers->set($key, $value, false); | |||
There was a problem hiding this comment.
This will replace any custom header set in the controller.
There was a problem hiding this comment.
I don't think so, this method call sets false as the third argument ($replace), and it is already tested the existing header wouldn't be overwritten.
|
NelmioSecurityBundle already allows setting these security headers for you, and it provides a semantic configuration instead of asking the developer to know the exact syntax of each header in the config file. and for the CORS header, NelmioCorsBundle allows configuring it fully (which cannot be done by hardcoding some header values in the config file). Thus, your default config for |
|
Oh I didn't know about the NelmioSecurityBundle bundle. It seems better than my implementation (give the code a once-over), but it doesn't provide Adding some supports for My default header config misleading. You're right. But it is difficult problem because this configuration shouldn't overwrite user defined headers, of course... |
|
@ebihara there is a PR open on NelmioSecurityBundle for CSP support, which one merged will make the bundle cover most things you mentionned here. As for X-Content-Type-Options, I wouldn't be against a pull request to add it to the bundle as well. I don't know if this really belongs in the framework itself because having smart defaults that fit everyone is a bit hard. It's good to make it easy to enable these features, but I don't necessarily agree that forcing them on everyone is a good thing. |
|
As there is already a good bundle that covers most of these things and because @Seldaek is fine with adding some missing stuf, I'm closing this PR in favor of improving the bundle. |
Rails 4 provides new
default_headersto send some security headers by default. Such headers control browser-side security features.It is also good for Symfony because it provides transparent security to users like output escaping and CSRF protection.
TODO
(NOTE: adding this feature is finished, I think, but we should consider about default configurations as I discuss later)
Security headers?
Modern web browsers provide some security features (to mitigate effects of frequent vulnerabilities, or to avoid new attack methods e.g. Clickjacking). To use them, setting via response headers like the followings:
About browser support situations, you can get information from http://www.browserscope.org/?category=security
Configuration
User can configure default response header like the following:
Default Configuration
I think about the default configuration is very important and we need to discuss since it may affect existing projects. (Currently, only
X-Content-Type-Options: sniffis defined as default header)X-Content-Type-Options: sniffis almost essential because Symfony always sends a valid Content-Type so it keeps current behaviours.And also
X-XSS-Protection: 1; mode=blockdoes not break anything, but in false-negative situation, the end-user will see a white-screen-of-death (by block-mode of XSS filter) instead of corrupt HTML string (by default-mode).X-Frame-Optionsis the missing protection against Clickjacking but it damages iframe-embed page so we cannot adopt this as default but we should recommend use this.Content Security Policy is a very powerful feature but it might be difficult for many users to control.
A preferred value of
Strict-Transport-Security,X-UA-CompatibleandAccess-Control-Allow-Origincannot be decided without user's judgment.FYI, here is the default configuration of Rails 4:
References