Generate inline script SHA for Content-Security-Policy

[jarreds]

Gatsby uses inline javascript so we have to include a script-src 'unsafe-inline'; in the content security policy. I think we can tighten this up from a security perspective.

I imagine we can take some inspiration from (or use) https://bitbucket.org/atlassianlabs/csp-webpack-plugin and get SHA hashes of the inline scripts. This would render the unsafe-inline directive unnecessary and we could get SHA hashes of the known inline scripts.

I'm pretty new to the javascript ecosystem. I'd like to try to help build a gatsby plugin to make this happen. Could anyone give just a little bit of guidance on the proper way to setup a webpack plugin that can analyze the resulting inline scripts in Gatsby? If so, I think I can hack something together.

[ghost]

inline style elements also have the same problem

As I see it the attack vector is mainly from user-controlled input. So for example a markdown file with an inline script.
So just parsing the final output and generating hashes from all inline scripts won't add security because the evil-markdown-script will also get a hash.

[jarreds]

Yes, you’re definitely correct that a build-time attack is still a possibility with this feature.

With CSP in-line SHAs I’m hoping to add an additional layer of XSS protection for those of us who persist and render user input with backend APIs.

[ghost]

With CSP in-line SHAs I’m hoping to add an additional layer of XSS protection for those of us who persist and render user input with backend APIs.

You mean something like this right?

(Without testing) I would say that the csp-webpack-plugin generates hash for every script, even evil ones. So it might not be a good inspiration 👿

[ghost]

As far as I can see there are only 2 inline scripts after the build, here and here

And one inline style here

Is this correct or am I missing cases?

[jarreds]

Yeah, those are the ones I've encountered thus far.

[ghost]

Then as next step you should follow the contributing guide and set up your local gatsby-dev.

As a proof of concept you can first modify "static-entry" directly and insert the rules as meta tag but on the long-run the CSP should be sent via header (e.g. plugin-netlify) and not enabled by default

[Graham42]

I can take a look at this sometime next week unless someone else already is?

[ghost]

@Graham42 That would be great.

I did not work more on it, only the very basic concept-proof: master...zionis137:topics/csp

[KyleAMathews]

Due to the high volume of issues, we're closing out older ones without recent activity. Please open a new issue if you need help!