From 29534ce44fa376ea45ef9715aa5621ba5d9be8da Mon Sep 17 00:00:00 2001 From: Nicolas Mattia Date: Tue, 24 Oct 2023 13:38:59 +0200 Subject: [PATCH 1/2] Remove CSP meta tag This removes the `` tag used for CSP. We originally included the CSP in the HTML because the HTTP headers could not be certified. HTTP headers are now certified so the `Content-Security-Policy` header _should_ be enough. Additionally, the `` tag hasn't been replaced correctly for some time leading to an irrelevant HTML tag. --- src/frontend/index.html | 2 -- src/internet_identity/src/assets.rs | 14 +++----------- src/internet_identity/src/http.rs | 2 +- 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/src/frontend/index.html b/src/frontend/index.html index be56351113..d085effd0b 100644 --- a/src/frontend/index.html +++ b/src/frontend/index.html @@ -4,8 +4,6 @@ - - Internet Identity diff --git a/src/internet_identity/src/assets.rs b/src/internet_identity/src/assets.rs index 9bab14c3c8..7ca4885079 100644 --- a/src/internet_identity/src/assets.rs +++ b/src/internet_identity/src/assets.rs @@ -5,7 +5,7 @@ use crate::hash::{hash_of_map, Value}; use crate::http::{security_headers, IC_CERTIFICATE_EXPRESSION_HEADER}; use crate::nested_tree::NestedTree; -use crate::{http, state}; +use crate::state; use base64::engine::general_purpose::STANDARD as BASE64; use base64::Engine; use ic_cdk::api; @@ -97,21 +97,13 @@ pub enum ContentType { // The "#, &format!(r#""#), - ); - - html.replace( - "", - &format!( - r#""#, - &http::content_security_policy_meta() - ), ) } diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs index 2fdef4e186..cc55e7c4a2 100644 --- a/src/internet_identity/src/http.rs +++ b/src/internet_identity/src/http.rs @@ -180,7 +180,7 @@ pub fn security_headers() -> Vec { /// Full content security policy delivered via HTTP response header. /// /// This policy also includes the `frame-ancestors` directive in addition to the policies included in the HTML `meta` tag. -/// We deliver the CSP by header _and_ meta tag because the headers are not yet certified. +/// We deliver the CSP by header fn content_security_policy_header() -> String { let meta_policy = content_security_policy_meta(); format!("{meta_policy}frame-ancestors 'none';") From 73751a510ae6bde24b632172c48dc6eacec6703d Mon Sep 17 00:00:00 2001 From: Nicolas Mattia Date: Tue, 24 Oct 2023 15:20:49 +0200 Subject: [PATCH 2/2] Inline CSP meta --- src/canister_tests/src/framework.rs | 4 ++-- src/internet_identity/src/http.rs | 14 +++----------- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/src/canister_tests/src/framework.rs b/src/canister_tests/src/framework.rs index 4c27ce78d5..0b7aeeb753 100644 --- a/src/canister_tests/src/framework.rs +++ b/src/canister_tests/src/framework.rs @@ -424,8 +424,8 @@ form-action 'none';\ style-src 'self' 'unsafe-inline';\ style-src-elem 'self' 'unsafe-inline';\ font-src 'self';\ -upgrade-insecure-requests;\ -frame-ancestors 'none';$" +frame-ancestors 'none';\ +upgrade-insecure-requests;$" ) .unwrap() .is_match(csp)); diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs index cc55e7c4a2..80689fd43c 100644 --- a/src/internet_identity/src/http.rs +++ b/src/internet_identity/src/http.rs @@ -179,15 +179,6 @@ pub fn security_headers() -> Vec { /// Full content security policy delivered via HTTP response header. /// -/// This policy also includes the `frame-ancestors` directive in addition to the policies included in the HTML `meta` tag. -/// We deliver the CSP by header -fn content_security_policy_header() -> String { - let meta_policy = content_security_policy_meta(); - format!("{meta_policy}frame-ancestors 'none';") -} - -/// Stripped down content security policy for the HTML `meta` tag, where not all directives are supported. -/// /// The sha256 hash matches the inline script in index.html. This inline script is a workaround /// for Firefox not supporting SRI (recommended here https://csp.withgoogle.com/docs/faq.html#static-content). /// This also prevents use of trusted-types. See https://bugzilla.mozilla.org/show_bug.cgi?id=1409200. @@ -218,7 +209,7 @@ fn content_security_policy_header() -> String { /// /// upgrade-insecure-requests is omitted when building in dev mode to allow loading II on localhost /// with Safari. -pub fn content_security_policy_meta() -> String { +pub fn content_security_policy_header() -> String { let hash = assets::JS_SETUP_SCRIPT_SRI_HASH.to_string(); let csp = format!( "default-src 'none';\ @@ -229,7 +220,8 @@ pub fn content_security_policy_meta() -> String { form-action 'none';\ style-src 'self' 'unsafe-inline';\ style-src-elem 'self' 'unsafe-inline';\ - font-src 'self';" + font-src 'self';\ + frame-ancestors 'none';" ); #[cfg(not(feature = "insecure_requests"))] let csp = format!("{csp}upgrade-insecure-requests;");