CSP: defaultSrc should not be required
#237
Comments
|
My understanding, which may be wrong, is that a missing Would you be okay setting As another option, you can avoid Helmet's CSP module entirely to get more control. Here's a quick sketch of what that could look like: const contentSecurityPolicy = [
"script-src 'self' example.com",
"style-src 'self'",
// ...
].join(";");
app.use((req, res, next) => {
res.setHeader("Content-Security-Policy", contentSecurityPolicy);
next();
});I'm open to reverting this behavior but want to learn more before I do so. |
|
I mean, I'm using other parts of helmet now, would rather keep using it (though the other change where you can no longer use a function inside a directive, e.g. for nonce generation, is a step backwards as well I feel.) I realize I can set the headers myself. A |
I didn't realize that—thanks for sending. I made a judgment call here: I want people to explicitly say "I'm doing something dangerous". This was inspired, in part, by React's Of course, that's subjective. Is it truly dangerous to omit a You probably already know this, but for anyone else running into this problem, here's what you could do: app.use(helmet({
contentSecurityPolicy: false,
}));
app.use(myCspMiddleware);I'm willing to budge on this, but given that there's a hopefully-not-too-horrible workaround, I'd want to see more support for this before I made the change.
Another judgment call on my part, which we should discuss further in a separate issue. A summary: I got a bunch of issues about conditional middleware usage in various forms, but it was tricky to do holistically. For example, should all of CSP's directives be a function, or should each directive be a function? Should My solution was to get out of the business of conditional middleware entirely, and rely on documentation. You can see this wiki page which shows how to do this, which I hope is helpful. |
I've changed my mind on this part and plan to add this back. You can try out the release candidate today ( |
Perfect, thanks! // Additional configuring of CSP to mitigate errors from Helmet default settings
// read more here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
const scriptSrcUrls = [
'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js',
'https://api.tiles.mapbox.com/mapbox-gl-js/v0.51.0/mapbox-gl.js',
'https://api.mapbox.com/mapbox-gl-js/plugins/mapbox-gl-geocoder/v2.3.0/mapbox-gl-geocoder.min.js',
'https://kit.fontawesome.com/7870957ffd.js',
'https://code.jquery.com/jquery-3.3.1.slim.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js'
];
const styleSrcUrls = [
'https://kit-free.fontawesome.com/releases/latest/css/free.min.css',
'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css',
'https://api.mapbox.com/mapbox-gl-js/plugins/mapbox-gl-geocoder/v2.3.0/mapbox-gl-geocoder.css',
'https://api.tiles.mapbox.com/mapbox-gl-js/v0.51.0/mapbox-gl.css'
];
const contentSecurityPolicy = [
"script-src 'unsafe-inline' 'self' " + scriptSrcUrls.join(' '),
"style-src 'self' " + styleSrcUrls.join(' '),
"worker-src 'self' blob:" // specific to scripts used in my app, not necessarily something you need
].join(';');
app.use((req, res, next) => {
res.setHeader('Content-Security-Policy', contentSecurityPolicy);
next();
});I could probably write an additional npm package to allow for easy inclusion of script/style source urls, unless you felt like it could be added directly to Helmet. e.g., const cspConfig: {
scriptSrcUrls: [
'https://somecdn.com/somescript.js',
// ...
],
styleUrls: [
'https://somecdn.com/somestyle.css',
// ...
],
}
app.use(helmet(cspConfig)); |
|
I'm loading a simple apiDoc static page on express with helmet 4.1.0 and getting this error with csp enabled on helmet Don't konw if it's related or not. In version 3.22.1 of helmet it wasn't a problem.
|
|
@jnardone I think we've solved your initial problem, but let me know if that's wrong and we can reopen. @molaeiali Your issue seems unrelated to this one. Would you mind creating a new issue? |
|
Of course, thanks |
|
Just now seeing Thanks! |
|
@EvanHahn bringing this one back up. Being forced to define a If you follow something like https://csp.withgoogle.com/docs/strict-csp.html then you can't do this through helmet CSP -- you don't WANT a default-src because you don't care about enforcement for most categories. I want to use helmet CSP; I know I could just write my own header, but we use helmet everywhere else and I like the declarativity of it. But I can't define the google recommended strict CSP policy because of Using a defaultSrc of '*' does not work as it still applies to style-src, which we don't want ANY rules to apply to. |
|
But I did want to clarify an earlier comment: |
|
@jnardone When does |
|
I saw it immediately on inline styles:
|
|
That makes sense. How would you feel about an API like this? app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: null,
// ...
},
})
);This would require you to explicitly disable |
|
@EvanHahn yes, that would work. i don't miind if the default is set, but i need a way to be able to unset it. |
|
I'll plan to add this soon, ideally in the next few days. |
|
Haven't gotten to this yet, apologies. |
|
Just put up #278, a change that should address this. If it looks good, I'll merge and deploy soon, probably this weekend or next. |
|
@jnardone Actually, what happens if you set |
|
There is no way I am putting unsafe inline into the policy as a default. So that wouldn’t work for me. That ends up applying to lots of categories that I don’t want to give that permission to. Basically I need to be able to set rules without using the default because I do not want the behavior of the default to kick in.
… On Dec 10, 2020, at 8:50 AM, Evan Hahn ***@***.***> wrote:
@jnardone Actually, what happens if you set default-src to ["*", "unsafe-inline"]? Does that solve your problem?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
But isn't the default to allow everything, if you don't supply it? I'm probably misunderstanding... |
|
The spec is confusing and vague around Basically: if the goal of this module is to provide a way to express different types of policies, then one way that should be possible is to explicitly NOT set a default-src policy directive. |
|
Makes sense. I'll move forward with that pull request.
|
|
This has been released in app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
// ...
},
})
); |
The new CSP module says it is a lot less restrictive on policy definition, but it added some new restrictions.
defaultSrc now apparently required, though if you follow guidelines like Google's strict CSP, it is not necessary. https://csp.withgoogle.com/docs/strict-csp.html
If you read the specifications for V2 https://www.w3.org/TR/CSP2/ and V3 https://www.w3.org/TR/CSP3/ there is no mention that default-src is required.
But with the latest Helmet, now I must define a default even if I don't want to use it. Without it I get
"Content-Security-Policy needs a default-src but none was provided"The text was updated successfully, but these errors were encountered: