From f3799a9fe35b8818d0ca8a964fdc023c62330f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Wed, 4 Dec 2024 09:45:32 +0100 Subject: [PATCH] Remove img nonce --- dev.exs | 12 ++++++----- lib/phoenix/live_dashboard/layout_view.ex | 2 +- lib/phoenix/live_dashboard/page_builder.ex | 8 +++---- lib/phoenix/live_dashboard/router.ex | 3 +-- .../components/title_bar_component_test.exs | 2 +- .../live_dashboard/page_builder_test.exs | 4 ++-- test/phoenix/live_dashboard/router_test.exs | 21 +++++++------------ test/phoenix/live_dashboard_test.exs | 3 --- test/test_helper.exs | 1 - 9 files changed, 23 insertions(+), 33 deletions(-) diff --git a/dev.exs b/dev.exs index 1bb1a657..36a02763 100644 --- a/dev.exs +++ b/dev.exs @@ -480,7 +480,6 @@ defmodule DemoWeb.Router do components: DemoWeb.GraphShowcasePage ], csp_nonce_assign_key: %{ - img: :img_csp_nonce, style: :style_csp_nonce, script: :script_csp_nonce }, @@ -493,18 +492,21 @@ defmodule DemoWeb.Router do ) end + defp nonce do + 16 |> :crypto.strong_rand_bytes() |> Base.url_encode64(padding: false) + end + def put_csp(conn, _opts) do - [img_nonce, style_nonce, script_nonce] = - for _i <- 1..3, do: 16 |> :crypto.strong_rand_bytes() |> Base.url_encode64(padding: false) + style_nonce = nonce() + script_nonce = noonce() conn - |> assign(:img_csp_nonce, img_nonce) |> assign(:style_csp_nonce, style_nonce) |> assign(:script_csp_nonce, script_nonce) |> put_resp_header( "content-security-policy", "default-src; script-src 'nonce-#{script_nonce}'; style-src-elem 'nonce-#{style_nonce}'; " <> - "img-src 'nonce-#{img_nonce}' data: ; font-src data: ; connect-src 'self'; frame-src 'self' ;" + "img-src data: ; font-src data: ; connect-src 'self'; frame-src 'self' ;" ) end end diff --git a/lib/phoenix/live_dashboard/layout_view.ex b/lib/phoenix/live_dashboard/layout_view.ex index f2d637fd..6e0188df 100644 --- a/lib/phoenix/live_dashboard/layout_view.ex +++ b/lib/phoenix/live_dashboard/layout_view.ex @@ -6,7 +6,7 @@ defmodule Phoenix.LiveDashboard.LayoutView do def render("dash.html", assigns), do: dash(assigns) - defp csp_nonce(conn, type) when type in [:script, :style, :img] do + defp csp_nonce(conn, type) when type in [:script, :style] do csp_nonce_assign_key = conn.private.csp_nonce_assign_key[type] conn.assigns[csp_nonce_assign_key] end diff --git a/lib/phoenix/live_dashboard/page_builder.ex b/lib/phoenix/live_dashboard/page_builder.ex index 611d74f6..f22e30a7 100644 --- a/lib/phoenix/live_dashboard/page_builder.ex +++ b/lib/phoenix/live_dashboard/page_builder.ex @@ -172,10 +172,10 @@ defmodule Phoenix.LiveDashboard.PageBuilder do > You should use those when including scripts or styles like this: > > ```heex - > - > - > - > + > + > + > + > > ``` > > This ensures that your custom page can be used when a CSP is in place using the mechanism diff --git a/lib/phoenix/live_dashboard/router.ex b/lib/phoenix/live_dashboard/router.ex index d7b4a5f4..bb6f10c7 100644 --- a/lib/phoenix/live_dashboard/router.ex +++ b/lib/phoenix/live_dashboard/router.ex @@ -300,7 +300,7 @@ defmodule Phoenix.LiveDashboard.Router do csp_nonce_assign_key = case options[:csp_nonce_assign_key] do nil -> nil - key when is_atom(key) -> %{img: key, style: key, script: key} + key when is_atom(key) -> %{style: key, script: key} %{} = keys -> Map.take(keys, [:img, :style, :script]) end @@ -404,7 +404,6 @@ defmodule Phoenix.LiveDashboard.Router do "allow_destructive_actions" => allow_destructive_actions, "requirements" => requirements |> Enum.concat() |> Enum.uniq(), "csp_nonces" => %{ - img: conn.assigns[csp_nonce_assign_key[:img]], style: conn.assigns[csp_nonce_assign_key[:style]], script: conn.assigns[csp_nonce_assign_key[:script]] } diff --git a/test/phoenix/live_dashboard/components/title_bar_component_test.exs b/test/phoenix/live_dashboard/components/title_bar_component_test.exs index 2102a952..0a2bfe58 100644 --- a/test/phoenix/live_dashboard/components/title_bar_component_test.exs +++ b/test/phoenix/live_dashboard/components/title_bar_component_test.exs @@ -11,7 +11,7 @@ defmodule Phoenix.LiveDashboard.TitleBarComponentTest do render_component(TitleBarComponent, percent: 0.1, class: "test-class", - csp_nonces: %{img: "img_nonce", style: "style_nonce", script: "script_nonce"}, + csp_nonces: %{style: "style_nonce", script: "script_nonce"}, dom_id: "title-bar", inner_block: [%{slot: :__inner_block__, inner_block: fn _, _ -> "123" end}] ) diff --git a/test/phoenix/live_dashboard/page_builder_test.exs b/test/phoenix/live_dashboard/page_builder_test.exs index af4ce921..781cc12d 100644 --- a/test/phoenix/live_dashboard/page_builder_test.exs +++ b/test/phoenix/live_dashboard/page_builder_test.exs @@ -112,7 +112,7 @@ defmodule Phoenix.LiveDashboard.PageBuilderTest do hint="test-hint" inner_hint="test-inner-hint" total_formatter={&"test-format-#{&1}"} - csp_nonces={%{img: "img_nonce", style: "style_nonce", script: "script_nonce"}} + csp_nonces={%{style: "style_nonce", script: "script_nonce"}} /> """) @@ -149,7 +149,7 @@ defmodule Phoenix.LiveDashboard.PageBuilderTest do dom_id="test-dom-id" title="test-title" hint="test-hint" - csp_nonces={%{img: "img_nonce", style: "style_nonce", script: "script_nonce"}} + csp_nonces={%{style: "style_nonce", script: "script_nonce"}} > <:usage current={10} diff --git a/test/phoenix/live_dashboard/router_test.exs b/test/phoenix/live_dashboard/router_test.exs index 26fbde87..63559c64 100644 --- a/test/phoenix/live_dashboard/router_test.exs +++ b/test/phoenix/live_dashboard/router_test.exs @@ -43,7 +43,6 @@ defmodule Phoenix.LiveDashboard.RouterTest do %{ live_socket_path: "/custom/live", csp_nonce_assign_key: %{ - img: :csp_nonce, style: :csp_nonce, script: :csp_nonce } @@ -54,18 +53,16 @@ defmodule Phoenix.LiveDashboard.RouterTest do assert route_opts( live_socket_path: "/custom/live", csp_nonce_assign_key: %{ - img: :img_csp_none, - style: :style_csp_none, - script: :script_csp_none, + style: :style_csp_nonce, + script: :script_csp_nonce, other: :unused } )[:private] == %{ live_socket_path: "/custom/live", csp_nonce_assign_key: %{ - img: :img_csp_none, - style: :style_csp_none, - script: :script_csp_none + style: :style_csp_nonce, + script: :script_csp_nonce } } end @@ -363,14 +360,12 @@ defmodule Phoenix.LiveDashboard.RouterTest do test "loads nonces when key present" do assert %{ - "csp_nonces" => %{img: "img_nonce", script: "script_nonce", style: "style_nonce"} + "csp_nonces" => %{script: "script_nonce", style: "style_nonce"} } = build_conn() - |> Plug.Conn.assign(:img_nonce, "img_nonce") |> Plug.Conn.assign(:style_nonce, "style_nonce") |> Plug.Conn.assign(:script_nonce, "script_nonce") |> csp_session(%{ - img: :img_nonce, style: :style_nonce, script: :script_nonce }) @@ -378,11 +373,10 @@ defmodule Phoenix.LiveDashboard.RouterTest do test "loads nil nonces when assign present" do assert %{ - "csp_nonces" => %{img: nil, script: nil, style: nil} + "csp_nonces" => %{script: nil, style: nil} } = build_conn() |> csp_session(%{ - img: :img_nonce, style: :style_nonce, script: :script_nonce }) @@ -390,10 +384,9 @@ defmodule Phoenix.LiveDashboard.RouterTest do test "loads nil nonces when key absent" do assert %{ - "csp_nonces" => %{img: nil, script: nil, style: nil} + "csp_nonces" => %{script: nil, style: nil} } = build_conn() - |> Plug.Conn.assign(:img_nonce, "img_nonce") |> Plug.Conn.assign(:style_nonce, "style_nonce") |> Plug.Conn.assign(:script_nonce, "script_nonce") |> csp_session() diff --git a/test/phoenix/live_dashboard_test.exs b/test/phoenix/live_dashboard_test.exs index 6160c1e0..2d6062b6 100644 --- a/test/phoenix/live_dashboard_test.exs +++ b/test/phoenix/live_dashboard_test.exs @@ -17,19 +17,16 @@ defmodule Phoenix.LiveDashboardTest do test "embeds csp nonces" do html = build_conn() - |> assign(:img_csp_nonce, "img_nonce") |> assign(:script_csp_nonce, "script_nonce") |> assign(:style_csp_nonce, "style_nonce") |> get("/dashboard/home") |> html_response(200) - refute html =~ "img_nonce" refute html =~ "script_nonce" refute html =~ "style_nonce" html = build_conn() - |> assign(:img_csp_nonce, "img_nonce") |> assign(:script_csp_nonce, "script_nonce") |> assign(:style_csp_nonce, "style_nonce") |> get("/config/nonode@nohost/home") diff --git a/test/test_helper.exs b/test/test_helper.exs index d360a043..4d760ff5 100644 --- a/test/test_helper.exs +++ b/test/test_helper.exs @@ -90,7 +90,6 @@ defmodule Phoenix.LiveDashboardTest.Router do live_dashboard "/config", live_socket_path: "/custom/live", csp_nonce_assign_key: %{ - img: :img_csp_nonce, style: :style_csp_nonce, script: :script_csp_nonce },