CameoCSP WordPress plugin and Cameo Scriptwatch : Cameo: membership organiser

Tools to help monitor and protect scripts on your web pages which embed Cameo forms.

Contents

Cameo Scriptwatch

Cameo monitors nominated pages on your website for changes to the JavaScript scripts it includes. Typically, you’ll only monitor those pages which embed forms which can take payments. Currently these form types can take payments: booking, invoice, join, payment, renew, and shopping.

A notification from Cameo alerts you to any changes. We check four times daily. If you understand the change and expect it, that’s fine. If not, you should investigate.

To help you with changes introduced in Cameo’s forms’ scripts, we now provide a page which identifies the scripts it uses and documents changes to them.

We also watch for changes to the Content Security Policy (see below). A malicious plugin could change your Content Security Policy to let it introduce a malicious script that CSP would otherwise block.

version 10 (current version)

In Cameo version 10, add the pages to monitor in the box provided at forms → server configuration. In nearly all cases, your website hosts the pages, so you only need quote the URL relative to that. Your website, in this context, is the one you provide in in organisation settings → organisation details. For example /booking-form/ rather than https://www.myorganisation.com/booking-form/. When you change the list, Scriptwatch starts a scan to collect the list for the first time or to re-scan. This usually takes a couple of minutes.

version 11 (forthcoming)

In Cameo version 11, Cameo automatically detects the location of pages on your website which embed forms. Scriptwatch monitors any that can take payments automatically. Scriptwatch rescans your pages when a form changes or detects its location.

cameocsp WordPress plugin

A new WordPress plugin called cameocsp provides assistance to setting up a content security policy (CSP) for specific pages on your website. Again, we expect you’ll typically use this on pages which embed forms that take payments. CSP locks down locations where scripts that run on a page so that if someone were to introduce a script maliciously, it would not run. Payment pages should only allow specifically-nominated scripts which you understand the purpose of. A plugin update might introduce a rogue scripts from an infected plugin update, for example.

You may want to separately set up a more generally applicable policy for your whole site. For example, you could do this in Apache’s .htaccess file. However, WordPress (plugins in particular) tend to include their scripts on every page whether then need to or not. Therefore, you will usually need to make payment pages more restrictive.

Install the plugin in the usual way, from forms → wordpress plugins. Once installed, the editor for pages and posts provides a panel at the bottom which:

let’s you turn on CSP for that page, either enforced or report-only. In the latter case, the browser’s console reports any infringements. On Windows the F12 key opens the console for most browsers. On Mac, it is usually ⌘+ALT+J (⌘ ⌥ J).
lists the scripts that Cameo Scriptwatch has detected on the page with a tick box (checkbox). Ticking the box permits that script to run on the page. Scripts do not run by default.

The plugin uses Cameo Scriptwatch’s list of scripts detected on a page. Therefore, you need to monitor pages where you need to use cameocsp, as above. It takes a couple of minutes after adding a page to the monitor to analyse it. So give it a little while to generate the list of scripts.

To test the effect, open the page as a visitor sees it, in an incognito browser window. (Browsers also sometimes call this guest or private). This means your WordPress login (which can introduce additional scripts) does not affect the page.

cameocsp automatically includes the scripts required by Cameo forms, so we omit these from the list
it also allows Google Fonts unconditionally
it provides broad permission for things other than scripts and network connections
you will always want the jQuery core script provided by WordPress. We can’t do that for you automatically, as versions differ.
often, a WordPress theme introduces a script to control things like interaction with sub-menus in your menu bar
other scripts may require some trial-and-error. If you allow a script, be sure you know why, and justify and document the reason.
payment pages should only use the minimum of scripts, necessary to operate the page and the payment. Therefore, you should generally not include side bars on these pages. Choose a full width page from the theme’s templates for these. That reduces the number of scripts you need to permit.
don’t allow comments or other unrelated interaction on pages embedding forms