Content-Security-Policy headers for WHM, cPanel, and webmail

Volox

Member
Jun 11, 2017
20
2
3
San Diego
cPanel Access Level
Root Administrator
Has any thought been given to enabling better Content-Security-Policy headers on the WHM, cPanel, and webmail interfaces by default?

I see threads in the forums about how to setup the Content-Security-Policy headers in the
Code:
pre_main_global.conf
but when you do that, it appears to apply to the whm.mydomain.com, cpanel.mydomain.com, and webmail.mydomain.com interfaces as well.

I was able to work around this by using the expression conditional like below, but it still leaves those important interfaces 'unprotected' from cross site scripting injection.

Code:
Header always set Content-Security-Policy "default-src 'self'; \
script-src 'self' 'strict-dynamic'; \
style-src 'self' 'strict-dynamic'; \
img-src 'self' 'strict-dynamic'; \
object-src 'none'; base-uri 'none';" \
"expr=%{HTTP_HOST} !~ m#(webmail|cpanel|whm)\..*#"
After some toying around I found a set of options that appear to avoid breaking the cpanel interfaces, but they are far less than optimal since they require
Code:
'unsafe-inline' 'unsafe-eval'
I also tried using the Tweak option of
Code:
Enable Content-Security-Policy on some interfaces
but that does not appear to do anything to the web interfaces that are actually important.

It would be nice if the cpanel and webmail interfaces were built such one of 3 things were present (in order of easiest to most desirable):
  1. If the cpanel applications setup the specific header allows that were needed so one could set a global policy and have it overridden such that these sites aren't broken.
  2. That they didn't require those unsafe directives by removing the use of inline script and styles
  3. It would be even more optimal if the applications were enhanced to support 'nonce' in the script and style references and automatically injected 'nonce' in the Content-Security-Policy headers.
I'm wondering if there is anything being done to work towards any of those?
 
Last edited by a moderator: