New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nonce to feature detection iframe #290
Conversation
es-module-shims creates an iframe to do feature detection. However, if a site is using CSP then this iframe is blocked unless the CSP config allows frame-src to use blobs, which prevents es-module-shims from running. In chrome that error looks like: Refused to frame 'blob:http://localhost:3000/477a88e6-fb4c-48fd-a677-2ba7fb69fc45' because it violates the following Content Security Policy directive: "default-src 'self' https:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback. In safari it looks like: Refused to load blob:https://cors-test.herokuapp.com/12cecc46-329e-4791-a73b-4824852d1ad1 because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy. To prevent this, I've updated `feature.js` to set a nonce value on the iframe, and this fixes the error.
This PR is part of my attempt to fix rails/rails#45057 - there are more details there and you can see the issue in action (with v1.3.4 of es-module-shims) here |
Thanks for the PR, happy to merge. Any ideas why the existing CSP tests aren't catching this? |
@guybedford I've investigated why the csp tests weren't catching this and I've discovered a few things:
Based on that I'd suggest reverting this PR but adding |
The change from blob to script was in #265, which means the original issue should have been fixed from v1.4.7 onwards |
Previously there was no default set so any files could be loaded from anywhere (except for scripts which were allow-listed). This changes the csp so that by default only localhost can be used. This should detect issues like guybedford#290.
Previously there was no default set so any files could be loaded from anywhere (except for scripts which were allow-listed). This changes the csp so that by default only localhost can be used. This should detect issues like guybedford#290.
I've added #293 to update |
The current version of es-module-shims provided by importmap-rails (v1.4.6) requires allowing `frame-src: blob:` in an app's CSP policy (it creates an iframe with a blob as it's source in order to perform feature detection). This is quite a permissive thing to allow in csp and I wouldn't recommend it if there is an alternative. Since v1.4.7 es-module-shims no longer uses a blob and it will work with `script-src: 'self'` instead. I've upgraded to the latest version, which is v1.5.5. For more details about the CSP issue and it's fix see: * guybedford/es-module-shims#265 * guybedford/es-module-shims#290
The current version of es-module-shims provided by importmap-rails (v1.4.6) requires allowing `frame-src: blob:` in an app's CSP policy (it creates an iframe with a blob as it's source in order to perform feature detection). This is quite a permissive thing to allow in csp and I wouldn't recommend it if there is an alternative. Since v1.4.7 es-module-shims no longer uses a blob and it will work with `script-src: 'self'` instead. I've upgraded to the latest version, which is v1.5.5. For more details about the CSP issue and it's fix see: * guybedford/es-module-shims#265 * guybedford/es-module-shims#290
The current version of es-module-shims provided by importmap-rails (v1.4.6) requires allowing `frame-src: blob:` in an app's CSP policy (it creates an iframe with a blob as it's source in order to perform feature detection). This is quite a permissive thing to allow in csp and I wouldn't recommend it if there is an alternative. Since v1.4.7 es-module-shims no longer uses a blob and it will work with `script-src: 'self'` instead. I've upgraded to the latest version, which is v1.5.5. For more details about the CSP issue and it's fix see: * guybedford/es-module-shims#265 * guybedford/es-module-shims#290
es-module-shims creates an iframe to do feature
detection. However, if a site is using CSP then
this iframe is blocked unless the CSP config allows
frame-src to use blobs, which prevents es-module-shims
from running. In chrome that error looks like:
In safari it looks like:
To prevent this, I've updated
feature.js
to set a noncevalue on the iframe, and this fixes the error.