New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate inline script SHA for Content-Security-Policy #3427

Closed
jarreds opened this Issue Jan 6, 2018 · 9 comments

Comments

Projects
None yet
4 participants
@jarreds

jarreds commented Jan 6, 2018

Gatsby uses inline javascript so we have to include a script-src 'unsafe-inline'; in the content security policy. I think we can tighten this up from a security perspective.

I imagine we can take some inspiration from (or use) https://bitbucket.org/atlassianlabs/csp-webpack-plugin and get SHA hashes of the inline scripts. This would render the unsafe-inline directive unnecessary and we could get SHA hashes of the known inline scripts.

I'm pretty new to the javascript ecosystem. I'd like to try to help build a gatsby plugin to make this happen. Could anyone give just a little bit of guidance on the proper way to setup a webpack plugin that can analyze the resulting inline scripts in Gatsby? If so, I think I can hack something together.

@zionis137

This comment has been minimized.

Contributor

zionis137 commented Jan 7, 2018

inline style elements also have the same problem

As I see it the attack vector is mainly from user-controlled input. So for example a markdown file with an inline script.
So just parsing the final output and generating hashes from all inline scripts won't add security because the evil-markdown-script will also get a hash.

@jarreds

This comment has been minimized.

jarreds commented Jan 7, 2018

Yes, you’re definitely correct that a build-time attack is still a possibility with this feature.

With CSP in-line SHAs I’m hoping to add an additional layer of XSS protection for those of us who persist and render user input with backend APIs.

@zionis137

This comment has been minimized.

Contributor

zionis137 commented Jan 7, 2018

With CSP in-line SHAs I’m hoping to add an additional layer of XSS protection for those of us who persist and render user input with backend APIs.

You mean something like this right?

(Without testing) I would say that the csp-webpack-plugin generates hash for every script, even evil ones. So it might not be a good inspiration 👿

@zionis137

This comment has been minimized.

Contributor

zionis137 commented Jan 15, 2018

As far as I can see there are only 2 inline scripts after the build, here and here

And one inline style here

Is this correct or am I missing cases?

@jarreds

This comment has been minimized.

jarreds commented Jan 17, 2018

Yeah, those are the ones I've encountered thus far.

@zionis137

This comment has been minimized.

Contributor

zionis137 commented Jan 17, 2018

Then as next step you should follow the contributing guide and set up your local gatsby-dev.

As a proof of concept you can first modify "static-entry" directly and insert the rules as meta tag but on the long-run the CSP should be sent via header (e.g. plugin-netlify) and not enabled by default

@Graham42

This comment has been minimized.

Graham42 commented Feb 16, 2018

I can take a look at this sometime next week unless someone else already is?

@zionis137

This comment has been minimized.

Contributor

zionis137 commented Feb 16, 2018

@Graham42 That would be great.

I did not work more on it, only the very basic concept-proof: master...zionis137:topics/csp

@KyleAMathews

This comment has been minimized.

Contributor

KyleAMathews commented Sep 8, 2018

Due to the high volume of issues, we're closing out older ones without recent activity. Please open a new issue if you need help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment