- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 4.6k
          Fix for ignored CSP_NONCE in ContentSecurity Header
          #43573
        
          New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
CSP_NONCE in ContentSecurity Header
      There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
But then we can remove csrfTokenManager from the class as it is no longer used.
| There might be a problem because all our webpack loaded scripts use the csrf token as nonce -> will break if you use a custom nonce. But we should fix that. | 
| 
 @susnux it looks like my change will be merged in version 30.0.0. Is the problem, you mentioned solved? | 
5cf8647    to
    89575c5      
    Compare
  
    | 
 For this issue I pushed a commit to provide the CSP nonce as  Ref: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes If we approve this PR then we should go with this: nextcloud-libraries/nextcloud-auth#673 | 
89575c5    to
    0b1d4c9      
    Compare
  
    0b1d4c9    to
    68d4077      
    Compare
  
    We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available. Signed-off-by: Holger Hees <holger.hees@gmail.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
68d4077    to
    fbfa4db      
    Compare
  
    Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
fbfa4db    to
    f1c1cf1      
    Compare
  
    This way we use the CSP nonce for dynamically loaded scripts. Important to notice: The CSP nonce must NOT be injected in `content` as this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors). Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
f1c1cf1    to
    2916e5d      
    Compare
  
    
We should use 'cspNonceManager' for requesting the NONCE value, because it is doing the same as before, except that it honors a CPS_NONCE environment variable if available.
If a CSP_NONCE env var is defined, it is used nearly everywhere, except for setting the correct ContentSecurityPolicy Header.
This commit fixes this.