[CSP] Allow nonce passed through header (to support Turbolinks/PJAX)

[ruudk]

We are running a Symfony2 application with Turbolinks and want to use CSP. When we use the csp_nonce() method to generate a nonce, it will be different for every request. But since we use Turbolinks, navigating to other pages will just load the new HTML through AJAX and embed it in the current document. When a new page includes a <script> or <style> tag it will be blocked.

So I was thinking about the following solution:

In ContentSecurityPolicyListener:

    public function onKernelRequest(GetResponseEvent $event)
    {
        // ..

        if ($event->getRequest()->headers->has('X-CSP-Nonce')) {
            // @todo maybe add some regex validation
            $this->nonce = $event->getRequest()->headers->get('X-CSP-Nonce');
        }
    }

Then in my HTML I set this:

<meta name="csp_nonce" content="{{ csp_nonce() }}">

And in my app.js I set something like this:

    $.ajaxSetup({
        headers: {
            'X-CSP-NONCE': document.querySelector('meta[name="csp_nonce"]').getAttribute('content'),
        }
    })

This works, but what about security? Am I going to do something really stupid/bad?

[sstok]

For the meta you need http-equiv not name as this an HTTP header, if your not sure you test this with something that should fail in that situation, load a script without a proper nonce. Assuming this works or believing it works because someone says yes is a dangerous practice.

[romainneutron]

With #139 , you could $container->get('nelmio_security.twig_extension')->getCSPNonce().

[romainneutron]

OH, you can currently do

$container->get('nelmio_security.csp_listener')->getNonce()

And it's much more cleaner

[stof]

@romainneutron I don't think closing this is right. The request is not to allow reading the nonce, buit about setting it.

[florimondmanca]

Edit: moved to #321

[ruudk]

Please open a new issue, don't reply in something from 2017.