-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle double-bang redirections better for CSP #177
Comments
I don't have any issue with CSP & double-bang redirections on my server https://darmarit.org/searx/ .. (tested with FFox & Chrome) I assume the issue is related to your modifications of the CSP .. here is my CSP default_http_headers:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Download-Options: noopen
X-Robots-Tag: noindex, nofollow
Referrer-Policy: no-referrer
Content-Security-Policy: >-
default-src 'self' data
https://invidio.xamh.de
https://mp-tube.de
https://cdn-storage.br.de
https://*.akamaihd.net
https://player.vimeo.com
https://www.mixcloud.com
https://w.soundcloud.com
https://www.dailymotion.com
https://www.deezer.com
https://genius.com
https://apasfiis.sf.apa.at
https://media.tagesschau.de
;
img-src 'self' data:
https://*.tile.openstreetmap.org
https://maps.wikimedia.org
; I assume the problem is caused by the |
It's not something I did. It's from the |
@dalf @mrpaulblack .. do you have the same issue with |
I haven't try the configuration, but it makes sense. One way to fix the issue is to let SearXNG manage the CSP header, see searxng/searxng#140 At first sight, SearXNG could send a CSP header which allows the redirection:
|
Seems no longer in the header / issue seems fixed: I tested on https://paulgo.io/ & https://searx.sev.monster/ |
@return42 And I just tested with both and neither worked :) If you wanted to be pedantic this could be considered a true bug for |
There is a CSP header but there is no
For me it works, when I use you instance by example with this link !!alternativeto foo .. |
Yes, it will work if you use a direct link, because it is not triggering Go to the page instead and attempt this from the search box. Unless your situation is strange it will not work. Excerpt of site's Nginx configuration: location / {
proxy_pass http://searxng;
include includes/proxy.conf;
# hide searxng default headers that we already set
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-Robots-Tag;
proxy_hide_header Referrer-Policy;
# @notimageproxy
set $csp "upgrade-insecure-requests";
set $csp "$csp;default-src 'none'";
set $csp "$csp;script-src 'self'";
set $csp "$csp;style-src 'self' 'unsafe-inline' https://sev.monster";
set $csp "$csp;form-action 'self' https://github.com/searxng/searxng/issues/new";
set $csp "$csp;font-src 'self'";
set $csp "$csp;frame-ancestors 'self'";
set $csp "$csp;base-uri 'self'";
set $csp "$csp;connect-src 'self' https://overpass-api.de";
#set $csp "$csp;img-src 'self' data: https://*.tile.openstreetmap.org";
# allow non-proxied images
set $csp "$csp;img-src * data:";
set $csp "$csp;frame-src";
set $csp "$csp https://www.youtube-nocookie.com https://player.vimeo.com";
set $csp "$csp https://www.dailymotion.com https://www.deezer.com";
set $csp "$csp https://www.mixcloud.com https://w.soundcloud.com";
set $csp "$csp https://embed.spotify.com";
more_set_headers "Content-Security-Policy: $csp"; I could fix this on my site by not enforcing |
The link I gave was just an example what typed into the search form on your engine: then I press ENTER and it opens https://alternativeto.net/browse/search/?q=foo Oops .. sorry .. nut sure why, but in my FFox it works .. in my Chrome's console I see:
Then we have to fix it in searxng-docker .. I will transfer this ticket to searxng-docker. |
Closes: searxng#177 Signed-off-by: Markus Heiser <[email protected]>
Doesn't work here under Chromium 116.
When you submit a form, the browser keeps track of the source and destination. If there is a CSP header with The error above is a bit misleading since it seems to be reporting the intermediate URL and not the final URL. A better solution to this that doesn't rely on #114 is to use an interstitial that loads with a 200 code then redirects, like DuckDuckGo. This will "consume" the form submission and not pass it on to the double bang redirect, and has the added benefit of stripping
|
Is your feature request related to a problem? Please describe.
When using double-bangs with POST requests, the site you will be redirected to must be added to
form-action
CSP else it will be blocked for violation.Describe the solution you'd like
Find a way to not send form data when redirecting to another site with double-bangs so that every engine does not need to be added to CSP.
Describe alternatives you've considered
Started adding sites to CSP—it quickly becomes unmaintainable.
Example
On my server, try to search for "Nagios !!alternativeto". Since
I did not add
alternativeto.net
toform-action
, this is the result:Additional context
Related: searxng/searxng#140
I totally opened this in the wrong repository first.
The text was updated successfully, but these errors were encountered: