-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nonced tag helpers including nonce directive in csp has potential to break applications #470
Comments
Just to be clear, I'm more than willing to submit a PR once we decided this is a problem worth solving on this gem. |
This sounds like more of a bug than a feature request. I would expect it to work without having to declare it. Would you only want to apply it to the report-only configuration? Are you using both csp and csp-report-only? I could see how that use case wasn't considered/tested. |
That is the case, yes. As we fix issues we find in the incoming reports, we migrate the directives from csp-report-only to csp. |
I'm more than willing to merge and release that 👍 |
A teammate just pointed out to me that this behavior was the cause of a recent outage. What do you think is the right way forward? |
With your approval, I'd like to edit the issue to make it clear that the current behavior of using nonced tags with a config using |
👍 |
Done! Any suggestions regarding how to proceed? |
I would hope it would be as straightforward as pattern matching off of the existing code. I think the original proposal was to add a new helper/config option to the existing helper? It seems like you might want that functionality if you only want nonces in your report-only header. But the simplest place to start would be a test that shows that by default, the nonce is added to both headers. Then, add the config option to specify which header the nonce should go in. |
Just to be clear: by that you mean an additional config option that would be fed into |
🤔 I'm not sure actually. My initial thought was to add it to
The default behavior.
What breaking change would be introduced by preserving the current behavior? |
Allow me rephrase the question. Given that
|
It still seems like we might not be on the same page.
Can you elaborate on "dangerous?" It seems to me the current functionality isn't desirable for your use case but it behaves consistently and hasn't been an issue until now. You're reasonably surprised that this functionality isn't supported, but I can't think of a scenario where something becomes inadvertently broken today.
I'm not planning to because I don't think we should change the default behavior. The current behavior doesn't address your use case but we can work around that without affecting every other installation. If I could rewrite history, I wish this would have been addressed. But forcing everyone to update their configs, even if it's easy, for this edge case, doesn't seem like the best experience for those using this gem nor will it provide any value to almost everyone. |
The following scenario hapenned in production with us:
It caught us offguard because of the recent update I mentioned earlier in the thread. |
I can appreciate that and I hope that the surprise was discovered during pre-production testing but again, I'm not seeing a good enough justification for affecting anyone who depends on the current behavior. Is it surprising and unfortunate, yes, but it's easily discoverable. |
Alas, it was not. |
That sounds good to me. Is the
🤔 naming is hard. This kinda points to a related problem in that this setting would apply to script and style nonces alike, but thankfully nobody actually uses style nonces in a non-trivial scenario (right?).
I've added a small note to https://github.com/github/secure_headers/blob/main/docs/per_action_configuration.md#nonce. When we have the new functionality, we can specify the options. |
Bugs
Nonced tag helpers including nonce directive in csp has potential to break applications
Problem
Given an application with inline script tags, and a CSP that allows them with
'unsafe-inline'
, usingnonced_javascript_tag
will cause a nonce directive to appear in the CSP header. Modern browsers will then ignore the'unsafe-inline'
directive and all other script tags without a nonce will cease to be executed.The text was updated successfully, but these errors were encountered: