Bug 2160555

Summary: Some pcs webui responses are missing proper CSP headers
Product: Red Hat Enterprise Linux 8 Reporter: Tom Sorensen <tsorense>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: low Docs Contact:
Priority: low    
Version: 8.7CC: cluster-maint, idevat, mlisik, mmazoure, mpospisi, omular, tojeline
Target Milestone: rcKeywords: Triaged
Target Release: 8.9Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.10.16-1.el8 Doc Type: Enhancement
Doc Text:
Feature: Instruct web browsers to only load resources directly from pcs web UI and no other sources even when an error page is sent to a browser. Reason: This helps guard against cross-site scripting attacks. Result: HTTP header "Content-Security-Policy: frame-ancestors 'self'; default-src 'self'" is sent by pcsd in error HTTP responses instructing web browsers to only load and run resources from pcs web UI and no external sources.
 Story Points: ---
Clone Of:
: 2160664 (view as bug list) Environment:
Last Closed: 2023-11-14 15:22:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2160664    
Bug Blocks:    

Description Tom Sorensen 2023-01-12 20:22:41 UTC 
Description of problem:
Response with status code 401 is not showing right content type; techically it would require CSP with a text/html response, but it would not with JSON

Response with status code 404 is showing HTML response with no CSP

Version-Release number of selected component (if applicable):
pcs-0.10.14-5.el8

How reproducible:
Always

Steps to Reproduce:
1. Disable pcs WebUI
2. Access WebUI and receive either a 401 or 404 error page
3. Check headers

Actual results:
Headers lack CSP

Expected results:
CSP to be included even with error pages

Additional info:
Comment 2 Tomas Jelinek 2023-01-13 08:51:17 UTC 
To summarize why we cannot fix CSP in RHEL 8 globally:

Setting CSP to "script-src 'self'", as asked, is not possible with the RHEL 8 pcs web UI for two reasons.
1) Such setting prevents inline scripts to be executed. To fix this, we would need to move all inline scripts to an external .js file.
2) Such setting prevents rendering handlebars templates. They are compiled on-the-fly and the compilation depends on calling "Function()", which is blocked by CSP. The only way to resolve this is to move to precompiled handlebars templates, which would require significant time and resources.

We've been working on a completely new web UI, to fix this and other issues, for a few years. The new web UI is released in RHEL 9 pcs packages as the only web UI. In RHEL 8, it is released as a tech preview alongside the old one.



Regarding the specific issue reported in this BZ:
It is possible to fix this in RHEL 8. RHEL 9 is also affected, I'm going to create a BZ for that.
Comment 4 Tomas Jelinek 2023-02-22 15:20:20 UTC 
Upstream patch: https://github.com/ClusterLabs/pcs/commit/2f3cd689e38fec824644bbeae3bad2e5accecb5b

Test:
1. disable pcs web UI
2. access pcs web UI and receive a 404 page
3. access /remote/capabilities URL and receive a 401 page
4. verify that "Content-Security-Policy" HTTP header is set to "frame-ancestors 'self'; default-src 'self'" in both cases
Comment 5 Michal Pospisil 2023-05-29 10:09:46 UTC 
DevTestResults:

[root@r08-09-a ~]# rpm -q pcs
pcs-0.10.16-1.el8.x86_64

Response headers on requests for index.html and favicon.ico both contain the desired CSP policy:
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Date: Fri, 26 May 2023 15:30:04 GMT
Strict-Transport-Security: max-age=63072000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; default-src 'self'
X-Xss-Protection: 1; mode=block
Cache-Control: no-store, no-cache
Pragma: no-cache
Referrer-Policy: no-referrer
Content-Length: 69
Comment 9 Michal Mazourek 2023-07-17 15:35:08 UTC 
The same test as in bz2160664 comment 11 was used to verify this bz. Marking as VERIFIED for pcs-0.10.17-2.el8.
Comment 12 errata-xmlrpc 2023-11-14 15:22:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6903