Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting strict-dynamic on strict-src-elem and set it by default #41571

Merged
merged 2 commits into from Nov 17, 2023
Merged

Allow setting strict-dynamic on strict-src-elem and set it by default #41571

merged 2 commits into from Nov 17, 2023

Conversation

susnux
Copy link
Contributor

@susnux susnux commented Nov 17, 2023
edited

Summary

Add a function to set 'strict-dynamic' to script-src-elem only which allows setting it with less weaken the CSP.
This is required for modern JS code that uses import which does not allow to use nonces (there is simply no way to set a nonce on import). Chrome then enforces the nonce rule and fails because there is none.
So instead of setting 'strict-dynamic' on every script source we only trust scripts provided with <script> tags by default and only if they have the nonce set.

Checklist

@susnux susnux added 3. to review Waiting for reviews security labels Nov 17, 2023
@susnux susnux requested review from nickvergessen, juliushaertl, a team, ArtificialOwl, Fenn-CS and sorbaugh and removed request for a team November 17, 2023 10:12
@susnux
feat(ContentSecurityPolicy): Allow to set strict-dynamic on `script…
7df9eb3 
…-src-elem` only

This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the fix/allow-strict-dynamic-elem branch from b137a35 to c209295 Compare November 17, 2023 10:12
@susnux susnux added this to the Nextcloud 28 milestone Nov 17, 2023
@susnux
Copy link
Contributor Author

susnux commented Nov 17, 2023

Backports requested where applicable (ex: critical bugfixes)

We added support for this with NC27 but I do not think we should backport the default change. Opinions?

@susnux
fix!(ContentSecurityPolicy): Make strict-dynamic enabled by default…
e231abd 
… on `script-src-elem`

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the fix/allow-strict-dynamic-elem branch from c209295 to e231abd Compare November 17, 2023 13:42
@susnux
Copy link
Contributor Author

susnux commented Nov 17, 2023

Fixed one test I forgot to update.

@susnux susnux mentioned this pull request Nov 17, 2023
Merged
@susnux
Copy link
Contributor Author

susnux commented Nov 17, 2023

Documentation: nextcloud/documentation#11291

@susnux susnux merged commit 4fa2749 into master Nov 17, 2023
49 of 50 checks passed
@susnux susnux deleted the fix/allow-strict-dynamic-elem branch November 17, 2023 17:03
@blizzz blizzz mentioned this pull request Nov 20, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@juliushaertl juliushaertl juliushaertl approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl was automatically assigned from nextcloud/server-backend

@Fenn-CS Fenn-CS Awaiting requested review from Fenn-CS Fenn-CS was automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh was automatically assigned from nextcloud/server-backend

Assignees
No one assigned
Labels
3. to review Waiting for reviews security
Projects
None yet
Milestone
Nextcloud 28
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@susnux @AndyScherzinger @juliushaertl