Add CSP to Image Optimization API (#28620)

styfle · web-flow · commit 7afc97c5744b · 2021-08-30T16:51:47.000Z
Add CSP header to Image Optimization API
diff --git a/packages/next/server/image-optimizer.ts b/packages/next/server/image-optimizer.ts
@@ -525,6 +525,8 @@ function setResponseHeaders(
     res.setHeader('Content-Disposition', `inline; filename="${fileName}"`)
   }
 
+  res.setHeader('Content-Security-Policy', `script-src 'none'; sandbox;`)
+
   return { finished: false }
 }
 
diff --git a/test/integration/production/pages/svg-image.js b/test/integration/production/pages/svg-image.js
@@ -0,0 +1,14 @@
+import React from 'react'
+import Image from 'next/image'
+
+const Page = () => {
+  return (
+    <div>
+      <h1>SVG with a script tag attempting XSS</h1>
+      <Image id="img" src="/xss.svg" width="100" height="100" />
+      <p id="msg">safe</p>
+    </div>
+  )
+}
+
+export default Page
diff --git a/test/integration/production/public/xss.svg b/test/integration/production/public/xss.svg
@@ -0,0 +1,9 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <title>XSS</title>
+</head>
+<body>
+  <p id="msg">safe</p>
+  <script>document.getElementById('msg').textContent='hacked'</script>
+</body>
+</html>
diff --git a/test/integration/production/test/index.test.js b/test/integration/production/test/index.test.js
@@ -78,7 +78,7 @@ describe('Production Usage', () => {
   })
 
   it('should contain generated page count in output', async () => {
-    const pageCount = process.env.NEXT_PRIVATE_TEST_WEBPACK4_MODE ? 37 : 38
+    const pageCount = process.env.NEXT_PRIVATE_TEST_WEBPACK4_MODE ? 38 : 39
     expect(output).toContain(`Generating static pages (0/${pageCount})`)
     expect(output).toContain(
       `Generating static pages (${pageCount}/${pageCount})`
diff --git a/test/integration/production/test/security.js b/test/integration/production/test/security.js
@@ -342,5 +342,24 @@ module.exports = (context) => {
       expect(pathname).toBe('/%2fexample.com')
       expect(hostname).not.toBe('example.com')
     })
+
+    it('should not execute script embedded inside svg image', async () => {
+      let browser
+      try {
+        browser = await webdriver(context.appPort, '/svg-image')
+        await browser.eval(`document.getElementById("img").scrollIntoView()`)
+        expect(await browser.elementById('img').getAttribute('src')).toContain(
+          'xss.svg'
+        )
+        expect(await browser.elementById('msg').text()).toBe('safe')
+        browser = await webdriver(
+          context.appPort,
+          '/_next/image?url=%2Fxss.svg&w=256&q=75'
+        )
+        expect(await browser.elementById('msg').text()).toBe('safe')
+      } finally {
+        if (browser) await browser.close()
+      }
+    })
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -525,6 +525,8 @@ function setResponseHeaders(`
`525`	`525`	res.setHeader('Content-Disposition', `inline; filename="${fileName}"`)
`526`	`526`	`}`
`527`	`527`
	`528`	+ res.setHeader('Content-Security-Policy', `script-src 'none'; sandbox;`)
	`529`	`+`
`528`	`530`	`return { finished: false }`
`529`	`531`	`}`
`530`	`532`