-
Notifications
You must be signed in to change notification settings - Fork 21.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the form_tag helper to comply with CSP #11407
Conversation
👍 Though I would call the class 'default_tags':
Very cool. CSP is an important component of security; I was planning to add CSP stuff myself. |
/cc @NZKoz |
@Alamoz I would be fine with changing the name of the class. I named it based on the method where it gets created |
This adds Stylesheet definition in scaffold's css. But what happens incase there is no scaffold stylesheet present i.e you used |
@rbhitchcock the label 'extra_tags' is within the context of |
@gaurish has a good point, a Rails app doesn't generate any css by default, so currently there isn't any place to put that css. But it is certainly good to follow CSP recommendations and those inline style elements are considered insecure. Someone will have to decide whether to add a default stylesheet to rails apps. Also, there is discussion to the effect that inline style elements are not a real security threat (see http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0015.html) and that JQuery relies on inline style elements for things like tooltips. So this warrants further investigation. I'm surprised there doesn't seem to be a sub team checking for security weakness in rails. |
@rbhitchcock I think the inline style tags from ActionView::Helpers::FormTagHelper should just be removed altogether and let users extend |
@Alamoz I was actually about to suggest the same thing. They seem to serve no purpose. Initially I didn't define the class in the CSS generator but at the last moment decided to duplicate the style definition. |
I've sent a message to a web security expert asking his opinion on the vulnerability of inline style sheets. Will post his comments here if and when he responds. Still think you should just remove them. |
The style is there because without them it caused some rendering glitches in some browser or other, before we remove them we'd have to use git blame to track down the original commit and verify that it's not an issue anymore. From memory the div was only added for some misguided HTML validation reason. No one validates HTML anymore so perhaps the real fix is to just have the inputs inside the form? If it is an issue, then we'd probably have to leave them in by default because, as mentioned, we don't ship any CSS by default. We could add an option to form_tag to skip the div entirely perhaps? As for the security issues of inline styles, there are various dangerous things you can do with expressions and moz-binding etc, which is why the CSP disallows them. However there's no issue with the values we're current,y generating, |
+1 for option to form_tag something like |
@gaurish That sounds like the best solution. I still prefer just removing it. Not finding anything with git-blame, just one comment about inline styles at some point past where the change occurred, so it looks like the change was uncommented when committed. |
Yes, there were rendering issues in certain browsers, this behavior was absolutely intended. |
So the correct way to do it then is to have those tags render by default and if a developer cares more about CSP compliance than compatibility with older browsers an initialization parameter to form_tag will disable them. @gaurish 's suggestion of |
"However there's no issue with the values we're currently generating" As far as anyone knows at this point 😉 Apparently it isn't the values themselves that are the problem. |
That makes sense to me as well. I will get this request updated in a day or two. Thanks to everyone for the help! |
I contacted Adam Barth (http://www.schemehostport.com/) and though he didn't offer details (something security experts are loath to do) here is what he had to say: "Inline style elements certainly give the attacker leverage. The question isn't whether it's a vulnerability but rather how severe a vulnerability." A good video of a talk he gave on CSP: http://www.youtube.com/watch?v=pocsv39pNXA cc/ @tenderlove |
@Alamoz you're missing the point a bit here, there's no question about whether the code we're generating is insecure, it's not. There's no vulnerability at all ever from setting padding and margin on a div. The issue is that the content security policy doesn't allow inline styles by default, and people want to use CSP and the As for the name of the option, |
"As for the name of the option, csp_compliant is a pretty crummy one, it should focus on what changes about the generated markup, not what that happens to enable." Interesting. Very HTML centric view of the world. |
"The issue is that the content security policy doesn't allow inline styles by default, and people want to use CSP and the form_tag makes that annoying / impossible." As stated earlier, some people will prefer not using CSP for the sake of browser compatibility. That is the point of providing an option. |
forgive me the sin of having an HTML centric view of the world when discussing the naming of an option that changes the HTML generated by a helper which generates HTML ;) |
It isn't a sin as much as a bias 😉 In the case of someone who is only interested in enabling CSP, it makes sense to have an option name relating to that intention. But of course anyone thinking of CSP should know that inline style elements are being suppressed. That, and there should be a way to suppress inline styles anyway, as overriding inline styles in css is so ugly. So I agree the option name should relate to HTML. @gaurish I hope you are not disappointed that @NZKoz doesn't like your option name 😉 |
@Alamoz |
@gaurish Will leave it to @rbhitchcock to name the option, this is his PR. 😄 Other than that, the logic behind his PR is pretty strait-forward. |
Just updated with changes incorporating the discussion so far. Thanks again everyone for the feedback. |
@rbhitchcock You still need to remove the form_helper_default_tags class reference:
... change to:
And also change any tests accordingly. |
Content Security Policy does not allow inline style attributes for HTML tags. The actionview form helper adds an inline style attribute to the div within the form containing hidden fields added by the helper. This changeset introduces the without_inline_styles option which will prevent the inline style attributes from being added.
Sorry... thought you still wanted a class attribute on the div. I've removed it. Thanks! |
@rbhitchcock Better to leave that to the user if they decide to suppress the default html output. |
Found this discussion about the topic: https://rails.lighthouseapp.com/projects/8994/tickets/5901-suppress-the-generation-of-the-authenticity_token-div The original commit in Rails 6 years ago: P.S: csrf_killer svn repo doesn't exist anymore |
I agree with @dorian, I don't think we need this hack anymore (probably it was for IE5.x or IE6) but we will need to do some researching to be sure about it. |
@guilleiguaran @dorian - Is the form authenticity token within the scope of this PR? |
@dorian - Ah yes. I think it is better without the , it doesn't add anything useful.
|
@rbhitchcock To also suppress the div you will have to make some more changes, specifically in actionpack-4.0.0/lib/action_view/helpers/tag_helper.rb. That or create a safe default value for the div. |
I found this while working through CSP on a site of mine. Looks like this has stalled, anything we can do to move this one forward? |
@guilleiguaran today there is no reason the hidden inputs are wrapped in a div. All browsers hide hidden inputs, including IE6. I think these inline styles stem from a bygone era when we thought inline styles and inline I vote not to add a configuration option (based on a negative no less) but to get rid of this wrapping div completely. Like in the jsfiddle posted by @dorian, there are no browsers in current use where hidden inputs are visible. Everyone can check this. This div is a barnacle, we should chip it off. |
Here's what led to a
Note that |
If there is no outcry from the changes in #6608 it seems safe to get rid of the div altogether. Pull request submitted. |
Removing the div seems like a good solution to me from the standpoint of preventing the CSP violation although the backward compatibility issue pointed out by @jeremy is something to consider. |
Closed by #14738 |
Content Security Policy by default does not allow for inline style attributes in HTML tags. The
form_for
andform_tag
actionview helpers, when adding hidden input fields (such as the one containing the CSRF token) to the generated form, create adiv
tag that has some inline style rules applied.In order to comply with CSP, this
style
attribute should be removed and replaced with a class (if it is desired that the style attributes continue to be applied).If this change is not made, any developers who wish to return the Content Security Policy header for their application will have to:
Hopefully the class name is descriptive enough. First pull request... tried to follow the instructions in the contribution guide. Apologies in advance for anything I overlooked. Thanks!