From 06ac8b9ddd09ed725b1e815406a78ba826081f01 Mon Sep 17 00:00:00 2001
From: Tom Foster <tom@tcpip.uk>
Date: Tue, 3 Sep 2024 15:56:20 +0100
Subject: [PATCH] Update CSP Directives for Media Repository

---
 proposals/4149-media-repo-csp-directives.md | 116 ++++++++++++--------
 1 file changed, 72 insertions(+), 44 deletions(-)

diff --git a/proposals/4149-media-repo-csp-directives.md b/proposals/4149-media-repo-csp-directives.md
index ff18fa51db9..28dc0c4031a 100644
--- a/proposals/4149-media-repo-csp-directives.md
+++ b/proposals/4149-media-repo-csp-directives.md
@@ -6,61 +6,86 @@ The current Content Security Policy (CSP) directives recommended for the media r
 Matrix specification contain outdated and potentially insecure directives. This proposal aims to
 update these directives to enhance security and align with modern web standards.
 
-The issues with the existing directives are as follows:
+## Proposal
 
-1. `plugin-types application/pdf;` is a legacy directive that modern browsers do not use, and PDFs
-   are not allowed as per MSC2702.
-2. `style-src 'unsafe-inline';` allows inline CSS, which poses security risks.
-3. `object-src 'self';` relates to legacy web plugins and the `<object>` element, which are
-   deprecated and under consideration for removal.
+The current CSP directives for the media repository are as follows:
 
-Updating these directives will improve the security posture of the Matrix media repository and
-ensure compliance with contemporary web practices.
+```plaintext
+sandbox; default-src 'none'; script-src 'none'; plugin-types application/pdf;
+style-src 'unsafe-inline'; object-src 'self';
+```
 
-## Proposal
+The proposed changes are to update the CSP directives to:
 
-### Remove `plugin-types application/pdf;`
+```plaintext
+sandbox; default-src 'none'; script-src 'none'; font-src 'none';
+frame-ancestors 'none'; form-action 'none'; base-uri 'none';
+```
 
-Modern browsers no longer use the `plugin-types` directive. This directive is redundant given the
-deprecation of web plugins and is unnecessary since MSC2702 explicitly disallows PDFs.
+### Details of the Proposal
 
-### Update `style-src` Directive
+#### Remove `plugin-types application/pdf;`
 
-The current directive is:
+Modern browsers no longer use the `plugin-types` directive. It was originally intended for use with
+legacy plugins such as those for PDF viewing, which are no longer common practice. Furthermore,
+[MSC2702](https://github.com/matrix-org/matrix-doc/pull/2702) recommends against the use of PDFs,
+making this directive unnecessary and potentially misleading.
 
-```plaintext
-style-src 'unsafe-inline';
-```
+References:
 
-The proposed directive is:
+- [CSP recommendations by Mozilla Security](https://infosec.mozilla.org/guidelines/web_security#content-security-policy)
+- [XMPP's XEP-0363 on CSP](https://xmpp.org/extensions/xep-0363.html#server)
 
-```plaintext
-style-src 'self';
-```
+#### Remove `style-src 'unsafe-inline';`
+
+The directive `style-src 'unsafe-inline';` allows the use of inline styles. While this may be
+convenient, it poses a significant security risk by enabling potential Cross-Site Scripting (XSS)
+attacks. By removing this directive, we enforce the use of external stylesheets, which are safer
+and more manageable.
+
+References:
+
+- [Google's CSP validator](https://csp-evaluator.withgoogle.com/)
+- [internet.nl's website security tester on CSP](https://internet.nl/faqs/appsecpriv/)
 
-Allowing `'unsafe-inline'` poses a significant security risk by enabling inline CSS, which can be
-exploited for Cross-Site Scripting (XSS) attacks. Restricting `style-src` to `'self'` ensures that
-styles are only loaded from the same origin, enhancing security.
+#### Remove `object-src 'self';`
 
-### Remove `object-src 'self';`
+The `object-src` directive is related to the use of `<object>` elements, which are also a legacy
+feature. This directive is largely obsolete as modern web development practices do not rely on
+`<object>` elements. Additionally, removing this directive simplifies the CSP and eliminates
+potential attack vectors.
 
-The `object-src` directive pertains to legacy web plugins, which are deprecated. The use of
-`<object>` elements is being reconsidered for removal, rendering this directive obsolete.
+References:
 
-### Proposed CSP Directive
+- [CSP recommendations by Mozilla Security](https://infosec.mozilla.org/guidelines/web_security#content-security-policy)
 
-After the proposed changes, the updated CSP directive for the media repository would be:
+### New CSP Directives
+
+The updated CSP directives aim to provide a more secure baseline by eliminating unnecessary and
+insecure directives. The new set of directives is:
 
 ```plaintext
-Content-Security-Policy: default-src 'self'; style-src 'self';
+sandbox; default-src 'none'; script-src 'none'; font-src 'none';
+frame-ancestors 'none'; form-action 'none'; base-uri 'none';
 ```
 
-## Potential issues
+These directives ensure that:
+
+- No content is allowed to load by default (`default-src 'none';`).
+- No fonts can be loaded (`font-src 'none';`).
+- No scripts can be executed (`script-src 'none';`).
+- The content cannot be embedded into other sites (`frame-ancestors 'none';`).
+- Forms cannot be submitted (`form-action 'none';`).
+- The document’s base URL cannot be overridden (`base-uri 'none';`).
+
+## Potential Issues
+
+### Developer Adaptation
 
-Updating CSP directives could potentially cause issues for implementations that rely on the
-outdated directives. However, these changes should not adversely impact existing implementations as
-the directives being removed or modified are related to deprecated features. Developers should
-verify that their applications do not rely on these outdated directives.
+This Content Security Policy is already in use on a number of live homeservers as it reflects
+modern web application design, and specifically modern Matrix client usage. As such, it is not
+expected that developers will need to make any changes, and this policy may in fact protect users
+from developer error.
 
 ## Alternatives
 
@@ -71,18 +96,21 @@ improving the security posture of the Matrix media repository.
 Another alternative could be to adopt a more permissive CSP, but this would compromise security and
 increase the risk of XSS attacks and other vulnerabilities.
 
-## Security considerations
+## Security Considerations
 
-Removing outdated directives and disallowing inline styles reduces the attack surface and mitigates
-potential XSS attacks. These changes align with security best practices and ensure compliance with
-modern web standards.
+The primary goal of updating these CSP directives is to enhance security. By removing obsolete
+directives and disallowing insecure practices such as inline styles, we reduce the risk of XSS
+attacks and other vulnerabilities. The new directives provide a stricter and more secure baseline
+for handling content in the media repository.
 
-## Unstable prefix
+## Unstable Prefix
 
-As no actual functionality changes are proposed in any Matrix endpoints, it's not anticipated that
-an unstable prefix is necessary.
+This proposal does not introduce new endpoints or features requiring an unstable prefix.
+The changes are confined to the update of CSP directives, which should be implemented directly
+once approved.
 
 ## Dependencies
 
-This MSC builds on [MSC2702](https://github.com/matrix-org/matrix-doc/pull/2702), which disallows
-PDFs. No additional dependencies are identified at the time of writing.
+This MSC builds on the understanding and practices outlined in
+[MSC2702](https://github.com/matrix-org/matrix-doc/pull/2702), which recommends against the use
+of certain media types, such as PDFs. There are no other direct dependencies for this proposal.