Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for automatic nonce generation for Rails UJS #32018

Merged
merged 1 commit into from Feb 22, 2018

Conversation

@pixeltrix
Copy link
Member

commented Feb 16, 2018

Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by using nonce: true to set the nonce value on the tag, e.g

<%= javascript_tag nonce: true do %>
  alert('Hello, World!');
<% end %>

Fixes #31689.

@pixeltrix

This comment has been minimized.

Copy link
Member Author

commented Feb 16, 2018

@pixeltrix pixeltrix force-pushed the add-nonce-support-to-csp branch Feb 16, 2018

@@ -72,6 +79,10 @@ def javascript_tag(content_or_options_with_block = nil, html_options = {}, &bloc
content_or_options_with_block
end

if html_options[:nonce] == true

This comment has been minimized.

Copy link
@matthewd

matthewd Feb 16, 2018

Member

Might be worth defaulting this to true? Seems pretty fair to default to trusting any JS the server is deliberately sending.

This comment has been minimized.

Copy link
@pixeltrix

pixeltrix Feb 16, 2018

Author Member

Possibly - though the thought of defaulting anything to less secure makes me nervous 😟

@pixeltrix pixeltrix force-pushed the add-nonce-support-to-csp branch 3 times, most recently from e6b0794 Feb 16, 2018

Add support for automatic nonce generation for Rails UJS
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.

To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.

Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.

It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g

    <%= javascript_tag nonce: true do %>
      alert('Hello, World!');
    <% end %>

Fixes #31689.

@pixeltrix pixeltrix force-pushed the add-nonce-support-to-csp branch to 31abee0 Feb 19, 2018

@pixeltrix pixeltrix merged commit e20742f into master Feb 22, 2018

2 checks passed

codeclimate All good!
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@pixeltrix pixeltrix deleted the add-nonce-support-to-csp branch Feb 22, 2018

pixeltrix added a commit that referenced this pull request Feb 22, 2018

Merge pull request #32018 from rails/add-nonce-support-to-csp
Add support for automatic nonce generation for Rails UJS
@pixeltrix

This comment has been minimized.

Copy link
Member Author

commented Feb 22, 2018

Backported to 5-2-stable in b2f0a89

bogdanvlviv added a commit to bogdanvlviv/rails that referenced this pull request Feb 22, 2018

Improve generated file `app/views/application.html.erb` of plugin
- Do not generate `javascript_include_tag` if `--skip-javascript`
- Generate `<%= csp_meta_tag %>`. Related to rails#32018.
@@ -22,5 +30,15 @@ def content_security_policy_report_only(report_only = true, **options)
end
end
end

private

This comment has been minimized.

Copy link
@dhh

dhh Feb 26, 2018

Member

✂️

end

private

This comment has been minimized.

Copy link
@dhh

dhh Feb 26, 2018

Member

✂️

@dhh

This comment has been minimized.

Copy link
Member

commented Feb 26, 2018

Do we also need to update the Rails-UJS lib to automatically use this when the server is returning JS that's meant to be eval'ed, ala SJR?

@pixeltrix

This comment has been minimized.

Copy link
Member Author

commented Feb 27, 2018

@dhh this PR does that - see the bit where the nonce on the script tag gets set:

script.nonce = cspNonce()

It also changes the UJS tests to run with a CSP policy that disables unsafe-inline

@dhh

This comment has been minimized.

Copy link
Member

commented Feb 27, 2018

My mistake. I missed that bit 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.