Fonctionnalités de sécurité expérimentales?

Bindusara · December 16, 2023, 3:59pm

Bonjour Yunohost,

Je me demandais ce qui se cachait derriere l’option “Fonctionnalités de sécurité expérimentales”.
Je retrouve bien la valeur sur le github “global_settings_setting_security_experimental_enabled” dans le fichier fr.json.
Par contre, j’ai l’impression que ce n’est pas encore utilisé.
J’hésite à cocher l’option, mais j’aimerai savoir ce que cela entraînera.

Merci pour votre aide.

Bindusara · April 20, 2024, 9:16am

Trying in english

I was wondering what is behind the option ‘Experimental Security Features’. I can see the value on the GitHub ‘global_settings_setting_security_experimental_enabled’ in the file fr.json. However, I have the impression that it is not yet used. I’m hesitant to check the option, but I would like to know what it will entail.

Thank you for your help.

tituspijean · April 20, 2024, 9:38am

Since code is law, let’s delve into the code. Changing this setting triggers the following hook:

github.com

YunoHost/yunohost/blob/debian/11.2.11.2/src/settings.py#L313-L316


      
          @post_change_hook("security_experimental_enabled")
          def reconfigure_nginx_and_yunohost(setting_name, old_value, new_value):
              if old_value != new_value:
                  regen_conf(names=["nginx", "yunohost"])

This hook regenerates the nginx and yunohost configurations:

github.com

YunoHost/yunohost/blob/debian/11.2.11.2/hooks/conf_regen/15-nginx#L70-L71


      
          export experimental="$(yunohost settings get 'security.experimental.security_experimental_enabled' | int_to_bool)"
          ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"

github.com

YunoHost/yunohost/blob/debian/11.2.11.2/conf/nginx/security.conf.inc#L28-L46


      
          {% if experimental == "True" %}
          more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:;";
          {% else %}
          more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
          {% endif %}
          more_set_headers "X-Content-Type-Options : nosniff";
          more_set_headers "X-XSS-Protection : 1; mode=block";
          more_set_headers "X-Download-Options : noopen";
          more_set_headers "X-Permitted-Cross-Domain-Policies : none";
          more_set_headers "X-Frame-Options : SAMEORIGIN";
          
          # Disable the disaster privacy thing that is FLoC
          {% if experimental == "True" %}
          more_set_headers "Permissions-Policy : fullscreen=(), geolocation=(), payment=(), accelerometer=(), battery=(), magnetometer=(), usb=(), interest-cohort=()";
          # Force HTTPOnly and Secure for all cookies
          proxy_cookie_path ~$ "; HTTPOnly; Secure;";
          {% else %}
          more_set_headers "Permissions-Policy : interest-cohort=()";
          {% endif %}

So this setting adds additional headers in the NGINX configuration.
I did not find anything related to “experimental” in the YunoHost configuration, so I guess it’s legacy and the experimental setting got integrated by default.

Bindusara · April 25, 2024, 4:47pm

Nice.
Thanks a lot