-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of github.com:catalyst/moodle-local_csp
- Loading branch information
Showing
10 changed files
with
252 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
Travis integration: [![Build Status](https://travis-ci.org/catalyst/moodle-local_csp.svg?branch=master)](https://travis-ci.org/catalyst/moodle-local_csp) | ||
[![Build Status](https://travis-ci.org/catalyst/moodle-local_csp.svg?branch=master)](https://travis-ci.org/catalyst/moodle-local_csp) | ||
# moodle-local_csp | ||
|
||
* [Why would you want this?](#why-would-you-want-this) | ||
|
@@ -11,26 +11,36 @@ Why would you want this? | |
------------------------ | ||
Security, security, security. | ||
|
||
This plugin helps you to detect and eliminate security errors in your Moodle such as: | ||
This plugin helps you to detect and mitigate certain classes of security errors in your Moodle such as: | ||
|
||
- Mixed content (https/http) after you switched to HTTPS. | ||
- Same origin (or specified origin) policy for scripts and media data. | ||
- Same origin (or specified origin) policy for scripts and media data. | ||
- Unintended iframes | ||
|
||
What is this? | ||
------------- | ||
This plugin enables [Custom Security Policy headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) across the Moodle website. | ||
This plugin allows you to easily test and rollout [Custom Security Policy headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) across your moodle. | ||
|
||
Examples: | ||
- Report/enforce SSL origin for links, images etc. | ||
- Report/enforce same-origin for links, images etc. | ||
|
||
How does it work? | ||
----------------- | ||
Site admin configures CSP headers: Content-Security-Policy or Content-Security-Policy-Report-Only in the plugin settings. | ||
|
||
Site admin configures CSP headers: `Content-Security-Policy` or `Content-Security-Policy-Report-Only` in the plugin settings. | ||
Header Content-Security-Policy-Report-Only is for recording CSP violations in Moodle and reviewing them later from the plugin's report page. | ||
|
||
Enabling of Content-Security-Policy blocks browser from showing site resources that violate defined rules. | ||
|
||
CSP support in browsers is quite good: | ||
|
||
https://caniuse.com/#search=CSP | ||
|
||
Installation | ||
------------ | ||
Checkout or download the plugin source code into folder `local\csp` of your Moodle installation. | ||
|
||
```sh | ||
git clone [email protected]:catalyst/moodle-local_csp.git local\csp | ||
``` | ||
|
@@ -42,19 +52,22 @@ unzip master.zip -d local/csp | |
``` | ||
Then go to your Moodle admin interface and complete installation and configuration. | ||
Example policy 'default-src https:;' will be reporting or enforcing the links to be HTTPS-only. Please note, the whole moodle website should be accessible via HTTPS for this to work. | ||
|
||
For more examples of other CSP directives please read [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). | ||
|
||
References | ||
---------- | ||
Relevant issue in Moodle tracker: (https://tracker.moodle.org/browse/MDL-46269) | ||
|
||
A complementary plugin which works by searching the moodle DB for bad links: | ||
See also: | ||
|
||
Convert http embedded content to https on https sites where available | ||
https://tracker.moodle.org/browse/MDL-46269 | ||
|
||
A complementary plugin which works by searching the moodle DB for bad links: | ||
https://github.com/moodlerooms/moodle-tool_httpsreplace | ||
|
||
|
||
This plugin was developed by Catalyst IT Australia: | ||
|
||
https://www.catalyst-au.net/ | ||
|
||
<img alt="Catalyst IT" src="https://cdn.rawgit.com/CatalystIT-AU/moodle-auth_saml2/master/pix/catalyst-logo.svg" width="400"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.