Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for automatic nonce generation for Rails UJS #32018

Merged
merged 1 commit into from Feb 22, 2018

Conversation

@pixeltrix
Copy link
Member

@pixeltrix pixeltrix commented Feb 16, 2018

Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by using nonce: true to set the nonce value on the tag, e.g

<%= javascript_tag nonce: true do %>
  alert('Hello, World!');
<% end %>

Fixes #31689.

@pixeltrix
Copy link
Member Author

@pixeltrix pixeltrix commented Feb 16, 2018

Loading

@pixeltrix pixeltrix force-pushed the add-nonce-support-to-csp branch from 6b5d397 to 4c3b7cc Feb 16, 2018
@@ -72,6 +79,10 @@ def javascript_tag(content_or_options_with_block = nil, html_options = {}, &bloc
content_or_options_with_block
end

if html_options[:nonce] == true
Copy link
Member

@matthewd matthewd Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth defaulting this to true? Seems pretty fair to default to trusting any JS the server is deliberately sending.

Loading

Copy link
Member Author

@pixeltrix pixeltrix Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly - though the thought of defaulting anything to less secure makes me nervous 😟

Loading

@pixeltrix pixeltrix force-pushed the add-nonce-support-to-csp branch 3 times, most recently from e6b0794 to 4224725 Feb 19, 2018
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g

    <%= javascript_tag nonce: true do %>
      alert('Hello, World!');
    <% end %>

Fixes #31689.
@pixeltrix pixeltrix force-pushed the add-nonce-support-to-csp branch from 4224725 to 31abee0 Feb 19, 2018
@pixeltrix pixeltrix merged commit e20742f into master Feb 22, 2018
2 checks passed
Loading
@pixeltrix pixeltrix deleted the add-nonce-support-to-csp branch Feb 22, 2018
pixeltrix added a commit that referenced this issue Feb 22, 2018
Add support for automatic nonce generation for Rails UJS
@pixeltrix
Copy link
Member Author

@pixeltrix pixeltrix commented Feb 22, 2018

Backported to 5-2-stable in b2f0a89

Loading

bogdanvlviv added a commit to bogdanvlviv/rails that referenced this issue Feb 22, 2018
- Do not generate `javascript_include_tag` if `--skip-javascript`
- Generate `<%= csp_meta_tag %>`. Related to rails#32018.
@@ -22,5 +30,15 @@ def content_security_policy_report_only(report_only = true, **options)
end
end
end

private

Copy link
Member

@dhh dhh Feb 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✂️

Loading

end

private

Copy link
Member

@dhh dhh Feb 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✂️

Loading

@dhh
Copy link
Member

@dhh dhh commented Feb 26, 2018

Do we also need to update the Rails-UJS lib to automatically use this when the server is returning JS that's meant to be eval'ed, ala SJR?

Loading

@pixeltrix
Copy link
Member Author

@pixeltrix pixeltrix commented Feb 27, 2018

@dhh this PR does that - see the bit where the nonce on the script tag gets set:

script.nonce = cspNonce()

It also changes the UJS tests to run with a CSP policy that disables unsafe-inline

Loading

@dhh
Copy link
Member

@dhh dhh commented Feb 27, 2018

My mistake. I missed that bit 👍

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants