-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove the CSP nonce from the CSP header #4
Conversation
Spec is here: http://www.w3.org/TR/CSP2/#directive-script-src "If 'unsafe-inline' is not in the list of allowed script sources, or if at least one nonce-source or hash-source is present in the list of allowed script sources:" The intention is to let sites start to lock things down with nonce and/or hashes while specifying unsafe-inline so CSP1.0-compliant browsers don't break on the site. It's a transition state. Note this means that if you use a nonce/hash it's not possible to use javascript: urls or inline event handlers. It's as if the policy didn't have unsafe-inline at all. Probably worth throwing a warning on the web console if we encounter both unsafe-inline and a hash/nonce. It's not an error, but it might be a mistake. ("warning, 'unsafe-inline' is ignored when hash or nonce also used") Further discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=1004703
@igorkofman Any reason for closing this without comment? As is, hackpad doesn't work locally in Firefox. |
Can you point to a page that is broken? |
@devd The homepage is broken, so I can't even create an account. |
that is weird: Chrome has this nonce enforcement on for a very long time. Does this also not work on Chrome for you? |
This only happens in Firefox. |
Hmm .. I am able to load hackpad.com fine and it has a policy with nonce in it too. What version of Firefox are you on? |
I've confirmed that this is broken in the following versions of Firefox: 40, 41.0b3, and Developer Edition. |
And that exact page works fine in Chrome? |
this seems more like a bug in Firefox's CSP implementation; instead of removing the nonce, can you try removing the unsafe-inline? |
It's not a bug, but a choice that Firefox has made when dealing with a CSP header that contains both I've attempted to remove |
Chrome has had that behavior for a while and that's what the spec mandates. In my tests, the nonce attribute has the right value, but Firefox isn't executing the script. Let me investigate. Sorry about that. just the warning isn't a red flag though: firefox has a separate bug https://bugzilla.mozilla.org/show_bug.cgi?id=1165614 about showing mistaken warnings. |
https://bugzilla.mozilla.org/show_bug.cgi?id=1198422 They will likely uplift soon; if you modify your patch to version detect
|
@devd I'll open a new PR that sends a single policy |
When trying to load the homepage in Firefox 40, I get the following error in the console
This is due to
nonce-source
andunsafe-inline
being included in the CSP header.I've removed the CSP nonce to make everything work again.