Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for CSP hashes #100

Closed
RehanSaeed opened this issue May 11, 2017 · 14 comments
Closed

Add support for CSP hashes #100

RehanSaeed opened this issue May 11, 2017 · 14 comments
Milestone
NWebsec 5.1.0

Comments

@RehanSaeed
Copy link
Contributor

Here is a really good blog post showing how it can be done.
@MovGP0
Copy link

MovGP0 commented Jul 16, 2017
edited
Loading

Currently have the issue that some inline styles are not loading properly besides having the .Self() defined. Support for hashes would solve that problem.

There should be support for unsafe inline, and a hash like hash 'sha256-dnk3F1ZGrgh9Kvk9Vn3ptiaFUoFeGRayv9lz2urXGw8='.

@klings
Copy link
Member

klings commented Jul 16, 2017 via email

@MovGP0
Copy link

MovGP0 commented Jul 16, 2017

In fact, nonces is what I do. Still would prefer to use hashes instead.

@MovGP0
Copy link

MovGP0 commented Jul 16, 2017

Currently, I use the tag helpers. This gets rid of the browser issues, but it is not something that can be configured centrally and requires the usage of ASP.NET MVC. In other projects, it is more tricky to do that, since there might be no MVC at all.

Maybe there is a solution I have missed?

@RehanSaeed
Copy link
Contributor Author

Pages with hashes in them can be cached, while nonces cannot.

@MovGP0
Copy link

MovGP0 commented Sep 21, 2017

I have the issue that a page gets generated by a library that I am using and I am unable to put a nonce on it. The current solution is to allow 'unsafe-inline', but would sleep much better with a hash instead, since it's always the same.

@MovGP0 MovGP0 mentioned this issue Oct 2, 2017
Closed
@HugCoder
Copy link

HugCoder commented Oct 25, 2017
edited
Loading

This is a big issue right now since many web browsers block inline-scripting as well by ignoring things like safe-inline. How to add hashes to the white list in CustomSources?

I can't find documentation on how to use nonces either, except for using the NWebsec Tag Helpers package.

@troyhunt
Copy link

troyhunt commented Nov 7, 2017

This seems like a bit of a no-brainer, can you allow a hash as a valid value for a script source? Nonces are a halfway-there approach and they're a good start, but it'd be great if NWebSec enabled a stricter definition of what's allowed to run.

@klings
Copy link
Member

klings commented Nov 8, 2017 via email

@jmaxxz
Copy link

jmaxxz commented Nov 21, 2017

If one does not have many inline scripts the following workaround can be used:

            app.UseCsp(options => options
                .DefaultSources(s => s.Self())
                .ScriptSources(s =>
                {
                    s.Self().CustomSources("https://example.com/foo/lib.js",
                        "https://www.example.com/bar/lib.js");

                    // Force hashes into custom sources. Can't be done with CustomSources(...)
                    // because CustomSources(...) checks if strings are uris
                    s.CustomSources = s.CustomSources.Concat(new [] { "'sha256-...='"});
                })

@klings klings added this to the NWebsec 5.1.0 milestone Mar 13, 2018
klings added a commit that referenced this issue Mar 15, 2018
@klings
Adds support for script/style hash sources in classic nwebsec #100
715b4bf
klings added a commit that referenced this issue Mar 15, 2018
@klings
Allow CSP hash sources when configuring middleware. #100
cfa507c
klings added a commit that referenced this issue Mar 15, 2018
@klings
Added support for CSP hashes in MVC attributes. #100
497628a
klings added a commit that referenced this issue Mar 18, 2018
@klings
Functional tests for MVC attributes and CSP hashes. #100
353b909
@klings
Copy link
Member

klings commented Mar 25, 2018

Released

@klings klings closed this as completed Mar 25, 2018
@GSingha
Copy link

GSingha commented Nov 27, 2018

If one does not have many inline scripts the following workaround can be used:

            app.UseCsp(options => options
                .DefaultSources(s => s.Self())
                .ScriptSources(s =>
                {
                    s.Self().CustomSources("https://example.com/foo/lib.js",
                        "https://www.example.com/bar/lib.js");

                    // Force hashes into custom sources. Can't be done with CustomSources(...)
                    // because CustomSources(...) checks if strings are uris
                    s.CustomSources = s.CustomSources.Concat(new [] { "'sha256-...='"});
                })

I have added the hashes but still getting the same CSP error. Would you please take a look at the below code snippet:
` app.UseCsp(options => options
.DefaultSources(s => s.Self())
.ScriptSources(s =>
{

                s.Self();
                s.CustomSources("http://localhost:xyz");
                s.CustomSources = s.CustomSources.Concat(new[]
                {

                    "'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='",
                    "'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='",
                    "'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='"

                });
                s.CustomSources = s.CustomSources.Where(x => x != "http://localhost:xyz").ToList();
            })

            .StyleSources(c =>
            {

                c.Self();
                c.CustomSources("http://localhost:xyz");
                c.CustomSources = c.CustomSources.Concat(new[]
                {
                    "'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='",
                    "'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='",
                    "'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='"
               });
                c.CustomSources = c.CustomSources.Where(x => x != "http://localhost:xyz").ToList();
            })
            .ImageSources(i =>
            {
                i.SelfSrc = true;
                i.Self().CustomSources(
                    "http://www.xyz.co.uk",
                    "https://www.xyz.co.uk",
                    "https://*.twitter.com/",
                    "https://*.twimg.com/",
                    "http://*.amazon.com/",
                    "http://*.twitter.com/",
                    "http://*.google-analytics.com",
                    "data:",
                    "https://maps.googleapis.com/",
                    "https://*.gstatic.com/",
                    "http://*.gravatar.com/",
                    "http://*.gravatar.com/",
                    "http://umbraco.tv/media",
                    "https://dashboard.umbraco.org",
                    "https://www.buysubscriptions.com",
                    "https://umbraco.tv"
                   
                    );
            })
            .ConnectSources(c =>
            {
                c.SelfSrc = true;
                c.Self().CustomSources("https://secure.brightcove.com/",
                    "https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/",
                    "https://xyz1",
                    "https://xyz2");
            })
            .FrameSources(f =>
            {
                f.SelfSrc = true;
                f.Self().CustomSources("https://secure.brightcove.com/",
                    "https://www.youtube.com/embed/",
                    "http://www.youtube.com/embed/",
                    "https://syndication.twitter.com",
                    "https://platform.twitter.com",
                    "https://www.google.com/recaptcha/",
                    "https://www.gstatic.com/recaptcha/",
                    "https://players.brightcove.net/",
                    "https://xyz");
            })
            .FontSources(fn =>
            {
                fn.SelfSrc = true;
                fn.Self().CustomSources("fonts.gstatic.com/s/");

            })
        );`

Erorr Deatils:
For style: refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-xxxxxxxxxxxxxxxxxxxxx=' ......ither the 'unsafe-inline' keyword, a hash ('sha256-xxxxxxxxxxxxxxxxxxxxxxx='), or a nonce ('nonce-...') is required to enable inline execution.

for Script; Refused to load the script 'http://platform.twitter.com/widgets.js' because it violates the following Content Security Policy directive: "script-src 'self' 'sha256-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='

Thanks,
Gadadhar

@bkqc
Copy link

bkqc commented Apr 9, 2021

Where can we find documentation on the hash support?

@AFDevMike
Copy link

How To:
https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/#:~:text=You%E2%80%99d%20have%20a%20CSP%20containing%20a%20hash%2Dsource%20a%20bit%20like%20this%3A

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
NWebsec 5.1.0
Development

No branches or pull requests
9 participants
@MovGP0 @troyhunt @jmaxxz @klings @RehanSaeed @bkqc @HugCoder @GSingha @AFDevMike