Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: the <host-source> and <scheme-source> must not be wrapped in quotes #3

Closed
czabaj opened this issue Sep 20, 2021 · 6 comments
Closed

[BUG]: the <host-source> and <scheme-source> must not be wrapped in quotes #3

czabaj opened this issue Sep 20, 2021 · 6 comments
Assignees
@josh-hemphill
Labels
bug Something isn't working released

Comments

@czabaj
Copy link

czabaj commented Sep 20, 2021
edited
Loading

Description

I'm using the vite-plugin-csp and it's currently buggy for me for it is wrapping the specified URL's in single quotes, which is not valid (according to MDN CSP documentation) and it is also ignored by the browser (Chrome 93.0.4577.63).

I believe the problem is on this LOC, the wrapping is done for all the sources, but it must be applied only to some of them.

Given how complicated the syntax for <host-source> might be, I would probably go for testing all keywords and crypto sources, rather than testing <host-source> and <scheme-source>.

Something like

const applyQuoteRe = new RegExp(
  `^(nonce-.+|none|report-sample|self|strict-dynamic|unsafe-eval|unsafe-hashes|unsafe-inline|${hashAlgorithms.join('-.+|')}-.+)$`
);

might do the job, but this rule applies not only to script-src, but also to style-src and probably more policies and there might be more keywords specified for other policies, which I'm unaware of, as I'm a newbie in terms of CSP. So you might opt-out for testing the <host-source> and <scheme-source>, just beware that testing the URI of <host-source> might be very complicated as the CSP allows to use wildcards and omit the scheme, thus the Node js URL cannot be used.
@czabaj czabaj added the bug Something isn't working label Sep 20, 2021
@josh-hemphill
Copy link
Owner

I'll try and get this fixed. Though vite-plugin-csp is still unfinished, I'm now looking at rewriting it in a monorepo containing some shared functionality to provide SSG and framework specific SSR plugins/libraries so that it things like CSP nonces can be used and hashes be accurate to the files provided at various paths, all of which aren't really possible through only the build hooks currently.

github-actions bot pushed a commit that referenced this issue Oct 4, 2021
@semantic-release-bot
chore(release): 1.1.8 [skip ci]
25ae7cb 
## [1.1.8](v1.1.7...v1.1.8) (2021-10-04)

### Bug Fixes

* 🐛 fix quoting of policies ([ed84e27](ed84e27)), closes [#3](#3)
@github-actions
Copy link

github-actions bot commented Oct 4, 2021

🎉 This issue has been resolved in version 1.1.8 🎉

The release is available on:

Your semantic-release bot 📦🚀

@josh-hemphill
Copy link
Owner

Still need to update vite-plugin-csp, but I should be able to get to that tomorrow. 🤞

@josh-hemphill
Copy link
Owner

@czabaj I've updated vite-plugin-csp, ran into some typing issues and it took a little longer. Should be good now.

@czabaj
Copy link
Author

czabaj commented Oct 11, 2021

Thanks @josh-hemphill

just tested it and there must be an issue in the linaria plugin as well. The URIs are still quoted

See

Screenshot 2021-10-11 at 10 21 48

Screenshot 2021-10-11 at 10 23 21

Screenshot 2021-10-11 at 10 23 45
Screenshot 2021-10-11 at 10 24 02

@josh-hemphill
Copy link
Owner

Yep, I just went through and double checked the output of vite-plugin-csp, and it seems to be correct there. Though I'm not sure how another plugin would introduce quoting to the internal values of meta strings...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josh-hemphill josh-hemphill

Labels
bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josh-hemphill @czabaj