Problem with using 'unsafe-inline' in script-src #127
Comments
|
Checked with CSP Level 3 spec to confirm the description given in MDN and it seems to be correct. If a nonce is provided, The nonce is used to allow an inline script added by Ember CLI for test support. It was initially added in #88 and is shipped as part of v1.1.0. #122 is not shipped as part of a release yet. Are using
This is the correct solution in my opinion. Especially cause the nonce is not needed in that case. Would be awesome if you could provide a PR. |
I'm using
Great, I will try to find some time for this today. |
Although this would solve OPs problem, I'm not sure this is a good idea. At least not for any environment except the test-environment. Otherwise people risk ending up with an unexpected CSP. @jelhan What was the reason you wanted to add the static nonce to all tests in #122? I remember there was a good reason for it, but can't recall now. |
Let me give some context. Ember CLI adds an inline script into <script>Ember.assert('The tests file was not loaded. Make sure your tests index.html includes "assets/tests.js".', EmberENV.TESTS_FILE_LOADED);</script>Such an inline script is forbidden by default CSP provided by this addon. It would require #88 fixed that CSP violation with default configuration by adding a nonce to the default CSP and to the script inserted by Ember CLI for test builds. That implementation was slightly changed in #122 but that changes are not important to the bug discussed in this ticket. @joukevandermaas is using v1.1.1 but #122 is not shipped in a release yet. #88 was shipped with v1.1.0. When implementing #88 we missed an edge case: The inline scripted inserted by Ember CLI will not violate the CSP if #128 fixes that bug by not applying the nonce to CSP it |
|
@jelhan Ah, got it! Thanks for taking the time explaining! I guess a long term fix might be to skip that inline script assert, or make it optional? Anyway, I don't object to the fix suggested above, sounds reasonable! |
|
I'm sorry but it still should not be added regardless of unsafe-inline or not. A static nonce may be added for the test config, but it should not be part of shipped library. Because of 2 reasons:
Hence, either the library should provide random nonce value AND add those to all the script tags in the page or provide a way to do so, or shouldn't emit nonce in the header at all. |
|
@iamareebjamal This only affects the tests. You can check the diff here: https://github.com/rwjblue/ember-cli-content-security-policy/pull/128/files |
|
Not really, this issue wouldn't have been opened if that was the case. I also reached here since in our local build, the generated CSP contained |
|
The PR you mentioned only changes the behavior that the nonce will not be added only if the CSP contains unsafe-inline. And I am saying that for the consumers of the library, it should never be added. I don't see any code which adds it only for the tests. The static nonce is present in the library code whereas it should be in the config of the test code. I am on the latest released version, and even if it is fixed on the master branch(I doubt it), test config should not be present in library code, conditionally or unconditionally. |
|
@iamareebjamal Alright, perhaps you can open a separate issue describing the problem as you see it, and your suggested fix. Since this is an open-source project where people spend their leisure-time working on it, a PR with a fix would increase the odds of your desired change getting into master. |
|
My issue is same as this one. And solution is to not include any nonce, even conditionally. Unfortunately, we are probably going to remove the library as it does more harm than good. Even with the specified behavior, it does not make it easier to deal with CSP. I just wanted to comment on the approach and notify that the behavior renders the security of CSP useless. However if we do continue to use the library, I'd be happy to contribute the fix. But anyway, removing that test altogether will be better than adding a static nonce conditionally in the library code |
|
Different topics are mixed up here. I'm quiet sure there isn't a security issue. But lets first understand what we are talking about. The presence of that nonce is different for latest release (v1.1.1) and current For CSP served as meta tag the nonce is only added for test environment for both latest release and current Latest release: ember-cli-content-security-policy/index.js Lines 186 to 188 in 4aabfa5 Current master: ember-cli-content-security-policy/index.js Lines 86 to 92 in 0a4fdfe I agree that requiring such a static nonce is not good at all. But at these point of time there isn't a better solution yet. Without it an ember project created by blueprints would violate CSP. That's a very bad developer experience and was one of the reasons these addon got removed from default blueprints. It was added by myself in #88 quiet some time ago. Actually the huge refactoring since v1.1.1 is motivated by adding an API that would allow ember-qunit to add it's script tag without violating CSP. See #67. But there is still some work that needs to be done before such a feature could be shipped. Contributions are highly welcome. 😉 Feel free to reach out to me on Discord to coordinate and discuss details. |
We get consistent CSP reports while running the development server. From what I've been able to tell, this is because in #122, a nonce value was unconditionally added to
srcript-srcin all apps with tests.According to MDN, as soon as you set a nonce,
'unsafe-inline'is ignored. We were relying on'unsafe-inline', since it's not trivial to get the hash of all inline scripts in our app at build time.I have to admit I do not understand exactly what problem #122 was trying to solve. For us, it would be a good solution to omit the nonce if the
srcipt-srcdirective contains'unsafe-inline'.If you like that solution, I can make a PR for it.
The text was updated successfully, but these errors were encountered: