Ensured csp sanitises tags using a hash only if the visited page is cached #38637
Conversation
…ched otherwise it uses a nonce
|
Hi @digitalrisedorset. Thank you for your contribution! Add the comment under your pull request to deploy test or vanilla Magento instance:
❗ Automated tests can be triggered manually with an appropriate comment:
Allowed build names are:
You can find more information about the builds here For more details, review the Code Contributions documentation. |
m2-community-project
bot
added
the
Priority: P2
| $this->generateHashValue($tagData->getContent()) | ||
| ) | ||
| ); | ||
| if (!empty(self::$tagMeta[$tagData->getTag()]['hash'])) { |
There was a problem hiding this comment.
rather than adding the sanitisation logic in the main InlineUtil helper, I have chosen to simplify this file and instead delegate the inline whitelisting logic to new model. I was unsure to use models or helpers but the PR as it is does reduce the complexity of this helper file and I hope it is a good way forward
digitalrisedorset
changed the title
|
@digitalrisedorset using hashes will increase the size of the header. We were seeing the issue that page is not able to load with Varnish. |
Only use nonce when the page is not cached otherwise uses hash
Description (*)
The csp policy validation can enable inline javascript to be used. However, using csv renderTag mechanism build in a safe way to ensure the inline javascript cannot be a weak area for a possible hacker attack. In this PR, when the rendering tag action is processed, it only triggers the nonce generation for non cached pages. Otherwise, a dynamically generated sha number is allocated to a policy to tell Magento this particular inline script is safe
Related Pull Requests
Fixed Issues (if relevant)
Manual testing scenarios (*)
Test 1
Allow inline script in the csp config and verify it is possible to use inline script without using renderTag csp method and without csp error in the console
Test 2
Disable inline script in the csp config and enable the inline script for a specific page and verify it is possible to use inline script without using renderTag csp method and without csp error in the console
Test 3
Disable inline script in the csp config and add an inline javascript in a page that is cached and verify an error appears in the console
Test 4
Disable inline script in the csp config and add an inline javascript in a page that is not cached and verify an error appears in the console
Test 5
Disable inline script in the csp config and add an inline javascript in a page that is cached and use the csp renderTag method and verify no error appears in the console and a hash policy was dynamically assigned to the tag
Test 6
Disable inline script in the csp config and add an inline javascript in a page that is not cached and use the csp renderTag method and verify no error appears in the console and a nonce was dynamically assigned to the tag
Questions or comments
I have a use case that is ambiguous: if the csv config does not allow inline javascript and an inline javascript snippet is in the non cached page, we currently have an error and the browser console tells to add a sha number to make this inline script safe. In short, we can leave the inline script without calling the renderTag method and we can allow it thanks to a sha config.
Contribution checklist (*)