Stott Security 3.0

[GeekInTheNorth]

v3.0

This Release introduces support for the Permissions-Policy and includes a host of quality of life updates and fixes.

This release is available on the following nuget feeds:

• https://nuget.optimizely.com
• https://api.nuget.optimizely.com
• https://www.nuget.org

Features

• Add support for Feature-Policy / Permission-Policy header #135
  • Adds Support configuring the Permissions-Policy Header.
  • The Permission-Policy header can be activated or deactivated as a whole.
  • The Permission Policy screen includes full filtering ability to find all directives for a specific source or to filter sources by enabled state.
  • All changes to Permission Policy directives are audited.
  • The Settings Import and Export tools have been updated to support migrating of this functionality between environments.
• Add a warning message around the use of the X-XSS-Protection header #214
  • Adds a warning around the deprecated nature of the X-XSS-Protection header. This header is known to cause vulnerabilities in some older browsers, newer browsers no longer respond to this header.
• Add additional options for sources #252
  • Adds support for 'inline-speculation-rules' withing the Content Security Policy.
• Restrict Directives to Valid Combinations #253
  • Restrict allowed directives for specific special sources within the Content Security Policy. e.g. 'unsafe-inline' is now restricted to script and style based directives.
• Update default directives #254
  • Update default directives to use 'self' with default-src instead of 'none'
• Relax Import and Export Tools to allow for a partial import #262
  • Updated the Import Settings tool to allow it to import a section of the settings. This is based on the presence or absence of the CSP, CORS, Response Headers or Permissions Policy within the settings export file.
• Can you please provide .NET 9 package? #264
  • Add support for .NET 9
• Remove CMS Editor Interface Gadget #267
  • Removed the Stott Security Gadget from the CMS Editor Interface.
  • This component was read-only and offers no value for most implementations while creating friction in some installations.
  • A replacement feature is currently in consideration.
• Remove Obsolete Code #273
  • Remove obsolete methods:
    • SecurityServiceExtensions.AddCspManager()
    • SecurityServiceExtensions.UseCspManager()
  • Remove CspReportingViewComponent

Bugs

• Update how NOnce is added and removed to cached headers #208
  • Correct an Issue with the Menu Provider that was causing some builds to activate the NONCE on admin screens
  • Correct the landing page for the Stott Security module to render the NONCE attribute on style and script tags.
• Update Report-To endpoint to handle both "application/reports+json" and "application/csp-report" request types #265
  • Update the Internal Reporting endpoint to handle single reports or an array of reports.
  • This is in light of some browsers such as MacOs Safari sending Report-Uri style error reports to the Report-To endpoint.

Hotfix 3.0.1

• CSP : A policy that is greater than 16000 bytes can result in connections being dropped either at server, proxy or browser level. #279
  • Handle large CSPs that exceed the best practice 8KB header size limit.
  • Excessive CSPs were causing browsers or even the CDN to drop the request.
    • Cloudflare, used by Optimizley DXP has a hard 16kb limit for header sizes
    • Browser support for header sizes varies from 8kb and upwards.
  • Large CSPs will now be split into multiple headers grouped by responsibility and fallback behaviours
• CORS : Users can activate wildcard origin with credentials which is an invalid policy #272
  • Add validation to prevent Wild Card Origins being used with Credentials as this is an invalid CORS policy can can break the site

Hotfix 3.0.2

• CSP : A policy that is greater than 16000 bytes can result in connections being dropped either at server, proxy or browser level. #279
  • Apply an terminal threshold at which the CSP will not be produced. This is to prevent users being completely locked out of the system due to CloudFlares hard 16KB limit per header.
• Remove defunct directives from CSP #282
  • Remove the report-uri directive from the CSP as this is deprecated.
  • Remove the navigate-to directive from the CSP as this was specified, never implemented and was then deprecated.
  • This is to help reduce the size of the CSP

---

This discussion was created from the release Stott Security 3.0.0.

Help me celebrate this release with a coffee! ☕️

[GeekInTheNorth]

A hotfix is currently in development to handle situations where a user can lock themselves out of the system. While the following issues were not introduced in v3.0.0, they are the version I am targeting for them.

• CORS : Users can activate wildcard origin with credentials which is an invalid policy #272
• CSP : A policy that is greater than 16000 bytes can result in connections being dropped either at server, proxy or browser level. #279

[GeekInTheNorth]

This has now been pushed to nuget.org.