Content-Security-Policy headers for WHM, cPanel, and webmail

[Volox]

Has any thought been given to enabling better Content-Security-Policy headers on the WHM, cPanel, and webmail interfaces by default?

I see threads in the forums about how to setup the Content-Security-Policy headers in the

pre_main_global.conf

but when you do that, it appears to apply to the whm.mydomain.com, cpanel.mydomain.com, and webmail.mydomain.com interfaces as well.

I was able to work around this by using the expression conditional like below, but it still leaves those important interfaces 'unprotected' from cross site scripting injection.

Header always set Content-Security-Policy "default-src 'self'; \
script-src 'self' 'strict-dynamic'; \
style-src 'self' 'strict-dynamic'; \
img-src 'self' 'strict-dynamic'; \
object-src 'none'; base-uri 'none';" \
"expr=%{HTTP_HOST} !~ m#(webmail|cpanel|whm)\..*#"

After some toying around I found a set of options that appear to avoid breaking the cpanel interfaces, but they are far less than optimal since they require

'unsafe-inline' 'unsafe-eval'

I also tried using the Tweak option of

Enable Content-Security-Policy on some interfaces

but that does not appear to do anything to the web interfaces that are actually important.

It would be nice if the cpanel and webmail interfaces were built such one of 3 things were present (in order of easiest to most desirable):

1. If the cpanel applications setup the specific header allows that were needed so one could set a global policy and have it overridden such that these sites aren't broken.
2. That they didn't require those unsafe directives by removing the use of inline script and styles
3. It would be even more optimal if the applications were enhanced to support 'nonce' in the script and style references and automatically injected 'nonce' in the Content-Security-Policy headers.

I'm wondering if there is anything being done to work towards any of those?

 

[cPRex]

Hey there! Let me talk with some of the developers and I'll let you know what I find out.

 

[cPRex]

I spoke with the team and there isn't a way for the software to handle that at this time. Could you submit a feature request using the link in my signature to get that submitted to our team?

 

[MotazHakim]

Hello
I'm following up this topic because I was just searching for it
I've added CSP headers into .htaccess in /home/user directory, so it works on the website, but I don't know how to add it in webmail or WHM or cPanel ?

 

[cPRex]

@MotazHakim - there isn't a way to do that at this point. I don't see a feature request from the original poster, so feel free to submit one using the link in my signature so I can let the developers know.

 

[MotazHakim]

@MotazHakim - there isn't a way to do that at this point. I don't see a feature request from the original poster, so feel free to submit one using the link in my signature so I can let the developers know.

@cPRex thanks for your reply
I've just submitted a Feature Request you can check on this link
https://features.cpanel.net/topic/22407-cspxss-header-for-whm-cpanel-webmail

All the best

 

[cPRex]

I saw it come in and already got it approved!