New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensured csp sanitises tags using a hash only if the visited page is cached #38637
base: 2.4-develop
Are you sure you want to change the base?
Ensured csp sanitises tags using a hash only if the visited page is cached #38637
Conversation
…ched otherwise it uses a nonce
Hi @digitalrisedorset. Thank you for your contribution! Add the comment under your pull request to deploy test or vanilla Magento instance:
❗ Automated tests can be triggered manually with an appropriate comment:
Allowed build names are:
You can find more information about the builds here For more details, review the Code Contributions documentation. |
$this->generateHashValue($tagData->getContent()) | ||
) | ||
); | ||
if (!empty(self::$tagMeta[$tagData->getTag()]['hash'])) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rather than adding the sanitisation logic in the main InlineUtil helper, I have chosen to simplify this file and instead delegate the inline whitelisting logic to new model. I was unsure to use models or helpers but the PR as it is does reduce the complexity of this helper file and I hope it is a good way forward
@digitalrisedorset using hashes will increase the size of the header. We were seeing the issue that page is not able to load with Varnish. |
Only use nonce when the page is not cached otherwise uses hash
Description (*)
The csp policy validation can enable inline javascript to be used. However, using csv renderTag mechanism build in a safe way to ensure the inline javascript cannot be a weak area for a possible hacker attack. In this PR, when the rendering tag action is processed, it only triggers the nonce generation for non cached pages. Otherwise, a dynamically generated sha number is allocated to a policy to tell Magento this particular inline script is safe
Related Pull Requests
Fixed Issues (if relevant)
Manual testing scenarios (*)
Test 1
Allow inline script in the csp config and verify it is possible to use inline script without using renderTag csp method and without csp error in the console
Test 2
Disable inline script in the csp config and enable the inline script for a specific page and verify it is possible to use inline script without using renderTag csp method and without csp error in the console
Test 3
Disable inline script in the csp config and add an inline javascript in a page that is cached and verify an error appears in the console
Test 4
Disable inline script in the csp config and add an inline javascript in a page that is not cached and verify an error appears in the console
Test 5
Disable inline script in the csp config and add an inline javascript in a page that is cached and use the csp renderTag method and verify no error appears in the console and a hash policy was dynamically assigned to the tag
Test 6
Disable inline script in the csp config and add an inline javascript in a page that is not cached and use the csp renderTag method and verify no error appears in the console and a nonce was dynamically assigned to the tag
Questions or comments
I have a use case that is ambiguous: if the csv config does not allow inline javascript and an inline javascript snippet is in the non cached page, we currently have an error and the browser console tells to add a sha number to make this inline script safe. In short, we can leave the inline script without calling the renderTag method and we can allow it thanks to a sha config.
Contribution checklist (*)