New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify interface for CSP options #277
Comments
Hey @vejja Thanks for this extensive research and description! I really like the idea of making things simpler. I am totally into getting rid of nonce in the headers if it is possible. This would make working with CSP and nonce much smoother. However, for your proposed change about merging nonce and ssg options, I think this is not a good idea. The module is aimed for SSR apps mainly (due to the usage of server middleware). What the user gets while using this module in SSG is the CSP delivered as http-equiv, remove console loggers, and some smaller utils. That is why, I think that additional configuration option for ssg is fine. For the nonce however, it would be useful to have is as a part of security.headers.contentSecurityPolicy but the current interface (that is also generic for other headers) is that inside security.headers.contentSecurityPolicy you would just get the HTTP directives. And nonce is a special case of CSP that you may want to use but you dont have to. It is an additional layer of protection. So in summary,
Let me know what you think about it :) |
Ok, it makes sense and agree it will work for our users. The thing I'm trying to scratch my head around is the following
On the first point, this means that we need to keep placeholders. Maybe I can try to clarify this in the docs, WDYT? |
I think the docs should do the trick. We don't have to deliver everything to the user. It would be awesome but as you know, security is not easy ;) So giving users right tools is also a fine approach IMO. Let's give them tools and instructions on how they can solve their issues :) |
Ok then I'll update the docs
In summary: |
Yes, I think this approach should be safe. It could be better of course but this will lead to breaking changes that I wont to avoid now :) Thanks for doing the summary! Maybe we could add a note in the documentation about usage of the module in SSR vs SSG? With the summary of what user get by using certain approach What do you think about it? |
I am clarifying the docs section right now + adding a brand new section in 'Advanced' on CSP to cover edge cases |
Awesome, let me know once it is ready. I will do my best to help. Thanks for everything. I really appreciate it! |
🚀 PR #282 |
Is your feature request related to a problem? Please describe.
Currently, the options to set up CSP headers in Nuxt Security are found in different places
headers: contentSecurityPolicy
header, with optionally a'nonce-{{nonce}}'
placeholdernonce: boolean
option for SSRssg: hashScripts
option for SSGOur users can sometimes get confused on how to setup CSP properly, depending on whether they are trying to use CSP-strict mode and whether they are using SSR or SSG modes.
Describe the solution you'd like
1- eliminate the
'nonce-{{nonce}}'
placeholder fromheaders
2- regroup CSP setup under a new option:
Rationale for the Proposal
1- On the suppression of the
'nonce-{{nonce}}'
placeholder: this parameter can conflict with the currentnonce
option. If'nonce-{{nonce}}'
is used butnonce
is set to false, it blocks the page. The opposite is also true. In addition,nonce: true
is ignored with SSG. Finally, our users sometimes use'nonce-{{nonce}}'
on non-nonceable elements, leading to questions as to why the page blocks.2- On the introduction of the
cspNonceOrHashes
option: this parameter makes it clear that we are dealing with both SSR and SSG at the same time. There is no more need to think about the differences between SSR (nonce
option) and SSG (ssg
option), Nuxt Security will use nonces for SSR and hashes for SSG automatically. In addition, it makes it clear where the nonce or hash will be included, and what sensible defaults should be used.Implementation Guidelines
The implementation SHOULD follow the following logic:
if cspNonceorHashes.addToScriptSrc is true:
script-src
policyscript-src
policyscript-src
policy.else:
if cspNonceorHashes.addToStyleSrc is true:
style-src
policystyle-src
policystyle-src
policyelse:
The old
ModuleOptions
syntax MAY be marked as deprecated but SHOULD continue to be supported in future versions.Describe alternatives you've considered
A first alternative would be to use a more generic term such as
{{nonceOrHash}}
placeholders inheaders: contentSecurityPolicy
. This would make it clear that the nonce or hash will be included in the corresponding section of the CSP header. It's a clean alternative, that eliminates the need for both thenonce
option and thessg
option. However it does not prevent users from including this placeholder on non-nonceable elements, nor does it make clear that we can only process <script> and <style> elements, and that scripts should be processed by default but styles should not be processed by default.Another alternative would be to fully deprecate the
headers: contentSecurityPolicy
option, and regroup all CSP functionalities under a comprehensivecsp
option. This would make sense as CSP is a separate and complex feature in its own, and setting its options via the headers syntax is not easy. In addition CSP is not transmitted via headers but via<meta>
tag when using SSG. However CSP is also a HTTP header, and it also makes sense to indicate that we will send the header in SSR mode.Additional context
The background for this proposal lies fundamentally in the CSP syntax itself, which is well-known to be incredibly complex.
script-src
orstyle-src
, inline scripts and styles are allowed. However this is not recommendedscript-src
orstyle-src
, this cancels the 'unsafe-inline' directive. In other words, any inline script or style not corresponding to the nonce or hash will be disallowed. However external scripts and styles can still be whitelisted individually.script-src
and thestyle-src
policiesintegrity
attribute. Unfortunately this is how it works, so in the SSG case there are two possibilities:'strict-dynamic'
only applies to scripts and not to styles. So, as far as styles are concerned, we are always back to CSP Level 2.style-src
policyThe text was updated successfully, but these errors were encountered: