Add nonce to feature detection iframe #290
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
es-module-shims creates an iframe to do feature
detection. However, if a site is using CSP then
this iframe is blocked unless the CSP config allows
frame-src to use blobs, which prevents es-module-shims
from running. In chrome that error looks like:
Refused to frame 'blob:http://localhost:3000/477a88e6-fb4c-48fd-a677-2ba7fb69fc45'
because it violates the following Content Security Policy directive:
"default-src 'self' https:". Note that 'frame-src' was not explicitly set,
so 'default-src' is used as a fallback.
In safari it looks like:
Refused to load blob:https://cors-test.herokuapp.com/12cecc46-329e-4791-a73b-4824852d1ad1
because it appears in neither the child-src directive nor the default-src
directive of the Content Security Policy.
To prevent this, I've updated `feature.js` to set a nonce
value on the iframe, and this fixes the error.
|
This PR is part of my attempt to fix rails/rails#45057 - there are more details there and you can see the issue in action (with v1.3.4 of es-module-shims) here |
|
Thanks for the PR, happy to merge. Any ideas why the existing CSP tests aren't catching this? |
|
@guybedford I've investigated why the csp tests weren't catching this and I've discovered a few things:
Based on that I'd suggest reverting this PR but adding |
|
The change from blob to script was in #265, which means the original issue should have been fixed from v1.4.7 onwards |
iainbeeston
added a commit
to iainbeeston/es-module-shims
that referenced
this pull request
May 16, 2022
Previously there was no default set so any files could be loaded from anywhere (except for scripts which were allow-listed). This changes the csp so that by default only localhost can be used. This should detect issues like guybedford#290.
iainbeeston
added a commit
to iainbeeston/es-module-shims
that referenced
this pull request
May 16, 2022
Previously there was no default set so any files could be loaded from anywhere (except for scripts which were allow-listed). This changes the csp so that by default only localhost can be used. This should detect issues like guybedford#290.
Merged
|
I've added #293 to update |
iainbeeston
added a commit
to iainbeeston/importmap-rails
that referenced
this pull request
May 16, 2022
The current version of es-module-shims provided by importmap-rails (v1.4.6) requires allowing `frame-src: blob:` in an app's CSP policy (it creates an iframe with a blob as it's source in order to perform feature detection). This is quite a permissive thing to allow in csp and I wouldn't recommend it if there is an alternative. Since v1.4.7 es-module-shims no longer uses a blob and it will work with `script-src: 'self'` instead. I've upgraded to the latest version, which is v1.5.5. For more details about the CSP issue and it's fix see: * guybedford/es-module-shims#265 * guybedford/es-module-shims#290
dhh
pushed a commit
to rails/importmap-rails
that referenced
this pull request
May 22, 2022
The current version of es-module-shims provided by importmap-rails (v1.4.6) requires allowing `frame-src: blob:` in an app's CSP policy (it creates an iframe with a blob as it's source in order to perform feature detection). This is quite a permissive thing to allow in csp and I wouldn't recommend it if there is an alternative. Since v1.4.7 es-module-shims no longer uses a blob and it will work with `script-src: 'self'` instead. I've upgraded to the latest version, which is v1.5.5. For more details about the CSP issue and it's fix see: * guybedford/es-module-shims#265 * guybedford/es-module-shims#290
smartech7
pushed a commit
to smartech7/ruby-import-maps
that referenced
this pull request
Aug 4, 2023
The current version of es-module-shims provided by importmap-rails (v1.4.6) requires allowing `frame-src: blob:` in an app's CSP policy (it creates an iframe with a blob as it's source in order to perform feature detection). This is quite a permissive thing to allow in csp and I wouldn't recommend it if there is an alternative. Since v1.4.7 es-module-shims no longer uses a blob and it will work with `script-src: 'self'` instead. I've upgraded to the latest version, which is v1.5.5. For more details about the CSP issue and it's fix see: * guybedford/es-module-shims#265 * guybedford/es-module-shims#290
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
es-module-shims creates an iframe to do feature
detection. However, if a site is using CSP then
this iframe is blocked unless the CSP config allows
frame-src to use blobs, which prevents es-module-shims
from running. In chrome that error looks like:
In safari it looks like:
To prevent this, I've updated
feature.jsto set a noncevalue on the iframe, and this fixes the error.