Avoid XSS attacks with Wave apps

[dulajra]

XSS attacks is a common security vulnerability when it comes to web applications. I would like to know due to the architecture of Wave are XSS attacks possible for wave apps? Is there any recommended approaches or best practices to avoid such attacks for Wave apps with input sanitisation?

[mturoci]

Every web application that renders dynamic data is vulnerable to XSS. Wave is no exception. Common ways to combat XSS are:

• Set up a strict CSP. Wave allows for specifying extra headers via H2O_WAVE_HTTP_HEADERS_FILE.
• Sanitize user-provided input.

[mturoci]

The .env file is only used for environment variables. Not headers. As the name suggests, you need to create a file containing the headers file and set its path as a value to H2O_WAVE_HTTP_HEADERS_FILE conf option.

[dulajra]

@mturoci I passed the same file mentioned in the docs but still I get panic: failed parsing HTTP headers from file: EOF

[dulajra]

The .env file is only used for environment variables. Not headers. As the name suggests, you need to create a file containing the headers file and set its path as a value to H2O_WAVE_HTTP_HEADERS_FILE conf option.

Yes I get it. It's just the name of the file. Apologies for the confusion. My question is do we need to set the absolute path to the headers file? Can't we set the relative path? I placed the headers.txt file in the root project and set H2O_WAVE_HTTP_HEADERS_FILE=./headers.txt but still I get panic: failed reading HTTP headers file: open ./headers.txt: no such file or directory

[dulajra]

@mturoci It worked after setting 2 new lines at the end of the headers file even though it is mentioned as (make sure there's an empty line at the end) in the docs

[mturoci]

My question is do we need to set the absolute path to the headers file? Can't we set the relative path?

I would recommend using absolute paths in general as they are more predictable and stable. Relative path should work as well, and relative in this case means "relative to the waved" location.

It worked after setting 2 new lines at the end of the headers file even though it is mentioned as (make sure there's an empty line at the end) in the docs

Thanks for pointing this out! Fixed in 8cd6f84.

[dulajra]

@mturoci I tried setting the Content-Security-Policy headers and it looks like we have to enable unsafe-inline for script-src and style-src because wave needs both to work. Because the inline content is generated internally by the framework I don't think we can use more restrictive sources like hash-* or nonce-*. Do you have better suggestions that allowing unsafe-inline?

[mturoci]

because wave needs both to work

This depends on the features you are using IIRC. Switching from inlinine scripts/styles to separate .js/ .css files should allow you to set the unsafe-inline.

You can see what Wave needs by making a sample hello world app with the desired CSP. Rules that fail on sample Wave app need to be disabled at the moment, but I am open to review the needed rules and see what can be done on Wave side.