Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the CSP nonce from the CSP header #4

Closed
wants to merge 1 commit into from
Closed

Remove the CSP nonce from the CSP header #4

wants to merge 1 commit into from

Conversation

kyleconroy
Copy link
Contributor

When trying to load the homepage in Firefox 40, I get the following error in the console

Content Security Policy: Ignoring "'unsafe-inline'" within script-src: nonce-source or hash-source specified

This is due to nonce-source and unsafe-inline being included in the CSP header.

Note this means that if you use a nonce/hash it's not possible to use
javascript: urls or inline event handlers. It's as if the policy didn't
have unsafe-inline at all. Probably worth throwing a warning on the web
console if we encounter both unsafe-inline and a hash/nonce. It's not an
error, but it might be a mistake. ("warning, 'unsafe-inline' is ignored
when hash or nonce also used")
-- Bug 1004703

I've removed the CSP nonce to make everything work again.

@kjc-stripe
Remove the CSP nonce from the CSP header
02116a0 
Spec is here: http://www.w3.org/TR/CSP2/#directive-script-src

  "If 'unsafe-inline' is not in the list of allowed script sources, or
   if at least one nonce-source or hash-source is present in the list of
   allowed script sources:"

The intention is to let sites start to lock things down with nonce
and/or hashes while specifying unsafe-inline so CSP1.0-compliant
browsers don't break on the site. It's a transition state.

Note this means that if you use a nonce/hash it's not possible to use
javascript: urls or inline event handlers. It's as if the policy didn't
have unsafe-inline at all. Probably worth throwing a warning on the web
console if we encounter both unsafe-inline and a hash/nonce. It's not an
error, but it might be a mistake. ("warning, 'unsafe-inline' is ignored
when hash or nonce also used")

Further discussion here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1004703
@igorkofman igorkofman closed this Aug 21, 2015
@kyleconroy
Copy link
Contributor Author

@igorkofman Any reason for closing this without comment? As is, hackpad doesn't work locally in Firefox.

@devd
Copy link

devd commented Aug 22, 2015

Can you point to a page that is broken?

@kyleconroy
Copy link
Contributor Author

@devd The homepage is broken, so I can't even create an account.

@devd
Copy link

devd commented Aug 22, 2015

that is weird: Chrome has this nonce enforcement on for a very long time. Does this also not work on Chrome for you?

@kyleconroy
Copy link
Contributor Author

This only happens in Firefox.

@devd
Copy link

devd commented Aug 24, 2015

Hmm .. I am able to load hackpad.com fine and it has a policy with nonce in it too. What version of Firefox are you on?

@kyleconroy
Copy link
Contributor Author

I've confirmed that this is broken in the following versions of Firefox: 40, 41.0b3, and Developer Edition.

@devd
Copy link

devd commented Aug 24, 2015

And that exact page works fine in Chrome?

@devd
Copy link

devd commented Aug 24, 2015

this seems more like a bug in Firefox's CSP implementation; instead of removing the nonce, can you try removing the unsafe-inline?

@kyleconroy
Copy link
Contributor Author

It's not a bug, but a choice that Firefox has made when dealing with a CSP header that contains both unsafe-inline and a nonce. See the linked bug in the description for more context.

I've attempted to remove unsafe-inline and unsafe-eval and I'm still getting CSP errors.

@devd
Copy link

devd commented Aug 24, 2015

Chrome has had that behavior for a while and that's what the spec mandates. In my tests, the nonce attribute has the right value, but Firefox isn't executing the script. Let me investigate. Sorry about that.

just the warning isn't a red flag though: firefox has a separate bug https://bugzilla.mozilla.org/show_bug.cgi?id=1165614 about showing mistaken warnings.

@devd
Copy link

devd commented Aug 26, 2015

https://bugzilla.mozilla.org/show_bug.cgi?id=1198422

They will likely uplift soon; if you modify your patch to version detect
and modify policy or better yet just send one policy we can merge back in
On Aug 23, 2015 11:24 PM, "Kyle Conroy" notifications@github.com wrote:

It's not a bug, but a choice that Firefox has made when dealing with a CSP
header that contains both unsafe-inline and a nonce. See the linked bug
in the description for more context.

I've attempted to remove unsafe-inline and unsafe-eval and I'm still
getting CSP errors.


Reply to this email directly or view it on GitHub
#4 (comment).

@kyleconroy
Copy link
Contributor Author

@devd I'll open a new PR that sends a single policy

@nikosprodro nikosprodro mentioned this pull request Mar 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kyleconroy @devd @igorkofman @kjc-stripe