Security updates live on IFDB

dfabulich · July 11, 2023, 6:52pm

In a recent update to IFDB, we’ve added a Content Security Policy, designed to provide broad defenses against XSS attacks. https://github.com/iftechfoundation/ifdb/pull/242

The change required updates to almost every part of IFDB, and so it wouldn’t be totally shocking if I broke something while rolling it out.

If you see a new issue, I invite you to reply here, or to file a bug in our suggestion tracker at https://github.com/iftechfoundation/ifdb-suggestion-tracker/issues.

JTN · July 13, 2023, 9:02am

Something seems to have gone awry with game tags:

Individual game pages aren’t showing me any of a game’s tags. (Whether I’m logged in or not.)
While I’m logged in, the “Your tags: - Edit” link on a game page takes me to a page that says “JavaScript Required” ifdb.org/needjs. This wasn’t the case a few days ago. (Also, tags I know I’ve added aren’t listed.)
Things involving tags that still work:
- The “all tags” pages.
- Clicking on an individual tag in that tag cloud (to search for games matching a tag) returns results, demonstrating that games do still have the tags, even though they’re not currently shown.
  For instance, clicking on the “crime” tag returns a list including Taco Fiction, but that game’s page does not show the tag “crime”.

Prompted by this, I’ve had a look at other parts of IFDB. Here are some other things I’ve noticed that look broken:

The magic that generates links to IFWiki based on IFID no longer seems to be working (whether logged in or not). See for instead Anchorhead: current version and archived version from last month (also demonstrates lack of tags).
(I have previously noticed the IFWiki link takes a moment to appear, so I guess there’s client-side scripting involved somehow.)
Logged in edit-game UI, ifdb.org/editgame?.. (compared to my recent memory), seems pretty broken:
- The various list-like elements (‘Download Links’, ‘Off-Site Reviews’, ‘Cross-References’) do not list existing data, and there’s no UI to add new entries to the lists either (there used to be a button).
  (I don’t know what happens if you click ‘Save Changes’ in this state – might it lose existing data?)
- The links to helper pop-ups (like ‘Link to author’s profile’) go to the ‘JavaScript Required’ page.
- ‘Help’ type links (like ‘Formatting Hints’, ‘Help with License Types’) now open a new tab, not a pop-up.
- ‘Upload a new image’ button is present, but does little (just moves to top of editgame page).
Other edit pages, such as ifdb.org/editcomp?.., seem broken in similar ways – I’ve not looked at all of them.

While my browser settings are moderately locked-down, these functions were working for me a few days ago, nothing obvious has changed on my end, and this seems more likely to be related to the server-side XSS changes.
(I can re-raise this stuff as GitHub issues, but thought it was worth posting here to confirm it’s not specific to me somehow.)

JTN · July 13, 2023, 10:14am

Another forum user notes that spoiler folds don’t open any more.

JTN · July 13, 2023, 4:31pm

Clicking on a news item from a game page also gives the “JavaScript Required” page. (For instance, the ‘Annotated Source’ news item on The Statue Got Me High.)
In this case it’s still possible to view the content by clicking ‘Expand all’ instead.

(I guess many of these will turn out to have a few common root causes, so I’m mainly posting this to add to the set of things to check once fixes have gone in.)

dfabulich · July 13, 2023, 5:43pm

@JTN I’m not reproducing the issues you’re reporting here. Do folks on @IFDB-committee reproduce these issues?

I hypothesize that JTN’s browser has cached an old version of our JavaScript, causing strange issues that I won’t be able to reproduce.

Please try viewing IFDB in a private/incognito browser window. If it works there, that will confirm my suspicions.

I’m going to try to prevent future issues like this in a general way with this PR:

github.com/iftechfoundation/ifdb

Cache busting

iftechfoundation:main ← iftechfoundation:cache-busting

opened 05:40PM - 13 Jul 23 UTC

dfabulich

+59 -41

In https://intfiction.org/t/security-updates-live-on-ifdb/63315/2?u=dfabulich JT…N reports a bunch of strange issues that I can't reproduce. I hypothesize that JTN has cached an old version of some of our JS, causing an issue. In this PR, I'm adding a cache busting URL parameter https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#cache_busting So instead of ``` <script src="/ifdbutil.js"></script> ``` We'll request ``` <script src="/ifdbutil.js?t=1653965576"></script> ``` Where `t` is the last modified time of the file on disk. I also incorporated this for user styles, based on the `modified` date in the database. Thus the CSS for Midnight styles now looks like this: ``` <link rel="stylesheet" href="/users/oyrrw74upu8n2dds/css/48.css?t=1615448743"> ```

dfabulich · July 13, 2023, 5:45pm

I have the same suggestion for @heasm66. Does switching to a private/incognito window fix spoiler tags for you?

mathbrush · July 13, 2023, 6:01pm

I’m not reproducing the issues. I’m using the dark theme, if that makes a difference. I see tags and when editing I see the fields as filled in with previous information.

kamineko · July 13, 2023, 6:19pm

I don’t have these problems on my Win 11 x64 w/edge. Or on my iPhone w safari.

I do have two problems, even in a private window:

Review embargo defaults to 1/1/1970, which must be manually cleared.
Menu and “hamburger” button on mobile don’t work. If I flip to landscape, the buttons in the menu work fine.

heasm66 · July 13, 2023, 6:31pm

I still get the problem with the spoiler I linked in my post (TempestDash on De Baron). I’ve tried on my laptop (Firefox, Chrome) both in normal and private mode and Crome and Samsung’s browser on my phone (in both private and normal mode).

dfabulich · July 13, 2023, 6:38pm

I just deployed the cache busting PR, as well as a fix for the mobile hamburger menu and the 1970 embargo default.

Try it again now?

kamineko · July 13, 2023, 6:41pm

Yes to both!

mathbrush · July 13, 2023, 7:34pm

Looks like the spoiler problem is specifically caused by that review being spoilers because it was “flagged” by another user, so it’s probably a different part of the CSS.

JTN · July 13, 2023, 9:53pm

For the cases where I said an issue occurred “whether logged in or not”, the “not” case was actually in a private window. So, at the time I reported, I’d already demonstrated things like tags being missing happening in a private window.
(I have been using IFDB in the past weeks, so it’s totally plausible that I’d have stuff cached, but hopefully this rules that out.)

Coming back to it now (after your cache-busting change), all is still not well for me, but it’s failing a bit differently. A few details below.

Probably relevant: if I load e.g. the Anchorhead game page with the Developer Tools open, the Console shows a load of Content Security Policy errors (both not-private-logged-in and private-window-logged-out):

Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). viewgame:17:1
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). viewgame:126:1
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). viewgame:151:1
[etc]

So I guess this is some quirk in my browser’s handling of content security policies, but I’m not au fait with those.
(My browser is Firefox 102.13.0esr, from Debian 11. I have the uBlock Origin extension, but it doesn’t claim to be interfering with ifdb.org. Reloading a page with uBlock Origin disabled doesn’t make things any better.)

Current failures I see: (basically, much the same as before)

Still no tags on viewgame (private window or not).
“Edit tags” UI on viewgame is kind of expanded out, like if I had Javascript disabled or similar (private window or not, although details are slightly different).
IFWiki link still missing on viewgame (private window or no).
editgame (not tried private window) still broken in most of the ways I described, including lacking list-type data, but controls which weren’t present before now appear, but in the same expanded-out broken-looking form. form. (E.g., the first thing on my view of the editgame page is the “Please indicate the copyright status of this image” radio buttons, which normally only show up when editing covers.)
(Same sort of slew of Content Security Policy errors in console.)
editcomp is similarly broken.
viewgame News items fail as before. (Private window or no.)
De Baron spoiler fold still fails to open. (Plus I now have a bunch of probably-shouldn’t-be-shown UI on the review section of viewgame like “Promote this user”, which was probably supposed to be in a submenu.)

dfabulich · July 13, 2023, 10:17pm

Aha! I have reproduced and fixed @JTN’s issue in Firefox ESR 102. (This issue does not affect the latest Firefox 115.)

It looks like we were hitting this bug.

It seems like Firefox doesn’t support nonces in default-src. If you specify the script-src and style-src directives with the necessary sources it should work. I tested this with Firefox 77 and 79.

Our CSP header looked like this:

Content-Security-Policy: default-src 'self' ifdb.org www.google.com 'nonce-$nonce';

Now it looks like this:

Content-Security-Policy: default-src 'self' ifdb.org www.google.com 'nonce-$nonce';
    script-src 'self' ifdb.org www.google.com 'nonce-$nonce';
    style-src 'self' ifdb.org 'nonce-$nonce';

Deploying this change seems to have fixed CSP on Firefox 102 ESR.

JTN · July 13, 2023, 10:26pm

Thanks! I thought it might be something of the kind.

I confirm that fixes everything that only I reported.
(The spoiler fold for De Baron, that @heasm66 first reported, still doesn’t work for me.)

dfabulich · July 13, 2023, 10:33pm

I’ve fixed the spoiler fold issue on De Baron. https://ifdb.org/viewgame?id=weac28l51hiqfzxz

This one was totally my fault. I was only attaching a click handler to the first spoiler tag on a page, and not to later spoilers.