Add support for automatic nonce generation for Rails UJS #32018
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
An example of how nonce can be abused is in this blog post: |
pixeltrix
force-pushed
the
add-nonce-support-to-csp
branch
from
6b5d397
to
4c3b7cc
Compare
matthewd
reviewed
Feb 16, 2018
| @@ -72,6 +79,10 @@ def javascript_tag(content_or_options_with_block = nil, html_options = {}, &bloc | |||
| content_or_options_with_block | |||
| end | |||
|
|
|||
| if html_options[:nonce] == true | |||
There was a problem hiding this comment.
Might be worth defaulting this to true? Seems pretty fair to default to trusting any JS the server is deliberately sending.
There was a problem hiding this comment.
Possibly - though the thought of defaulting anything to less secure makes me nervous 😟
pixeltrix
force-pushed
the
add-nonce-support-to-csp
branch
3 times, most recently
from
e6b0794
to
4224725
Compare
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
pixeltrix
force-pushed
the
add-nonce-support-to-csp
branch
from
4224725
to
31abee0
Compare
pixeltrix
added a commit
that referenced
this pull request
Feb 22, 2018
Add support for automatic nonce generation for Rails UJS
|
Backported to 5-2-stable in b2f0a89 |
bogdanvlviv
added a commit
to bogdanvlviv/rails
that referenced
this pull request
Feb 22, 2018
- Do not generate `javascript_include_tag` if `--skip-javascript` - Generate `<%= csp_meta_tag %>`. Related to rails#32018.
dhh
reviewed
Feb 26, 2018
| @@ -22,5 +30,15 @@ def content_security_policy_report_only(report_only = true, **options) | |||
| end | |||
| end | |||
| end | |||
|
|
|||
| private | |||
|
|
|||
dhh
reviewed
Feb 26, 2018
| end | ||
|
|
||
| private | ||
|
|
|
Do we also need to update the Rails-UJS lib to automatically use this when the server is returning JS that's meant to be eval'ed, ala SJR? |
|
@dhh this PR does that - see the bit where the nonce on the script tag gets set: script.nonce = cspNonce()It also changes the UJS tests to run with a CSP policy that disables unsafe-inline |
|
My mistake. I missed that bit 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by using
nonce: trueto set the nonce value on the tag, e.gFixes #31689.