Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove skipping CSP nonce on unsafe-inline #1010

Merged
merged 1 commit into from
Dec 11, 2020
Merged

Remove skipping CSP nonce on unsafe-inline #1010

merged 1 commit into from
Dec 11, 2020

Conversation

csutter
Copy link
Contributor

@csutter csutter commented Nov 10, 2020

Description of the change

The current implementation for Rails's CSP nonce functionality
intentionally skips adding a nonce to the script tag if the script-src
directive includes unsafe-inline. However, using both a nonce and
unsafe-inline at the same time is perfectly valid (and indeed sensible)
behaviour. It allows the app to maintain some level of backwards
compatibility with browsers that support CSP1 but not CSP2, c.f.:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Related issues

Fixes #1009.

Checklists

Development

  • Lint rules pass locally
  • The code changed/added as part of this pull request has been covered with tests
  • All tests related to the changed code pass in development

Code review

  • This pull request has a descriptive title and information useful to a reviewer. There may be a screenshot or screencast attached
  • "Ready for review" label attached to the PR and reviewers mentioned in a comment
  • Changes have been reviewed by at least one other engineer
  • Issue from task tracker has a link to this pull request

@csutter
Remove skipping CSP nonce on unsafe-inline
2b4ddc6 
The current implementation for Rails's CSP nonce functionality
intentionally skips adding a nonce to the script tag if the script-src
directive includes `unsafe-inline`. However, using both a nonce and
unsafe-inline at the same time is perfectly valid (and indeed sensible)
behaviour. It allows the app to maintain some level of backwards
compatibility with browsers that support CSP1 but not CSP2, c.f.:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

- Remove special handling of nonces when `unsafe-inline` is specified
  in the `script-src` directive
@csutter
Copy link
Contributor Author

csutter commented Nov 10, 2020

FWIW, I can't think of anything this PR might break - my digging through the spec suggested combining a nonce and unsafe-inline is definitely fine (see #1009).

Might still be worth someone else thinking about it too though 😅

csutter added a commit to DFE-Digital/teaching-vacancies that referenced this pull request Nov 11, 2020
@csutter
Temporarily stop reporting CSP violations
c89f713 
An issue in the rollbar gem is causing its JS output to violate our CSP
and generates two CSP violation reports per page view, ironically making
us go over our Rollbar quota.

Until the relevant PR gets merged, this suspends CSP violation reports:
rollbar/rollbar-gem#1010
@csutter csutter mentioned this pull request Nov 11, 2020
Merged
@csutter
Copy link
Contributor Author

csutter commented Dec 11, 2020

Hiya @waltjones – just wanted to cheekily chase and ask when you expect this to be merged 😄

@waltjones waltjones self-requested a review December 11, 2020 12:51
waltjones
waltjones approved these changes Dec 11, 2020
View reviewed changes
Copy link
Contributor

@waltjones waltjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR, and for the explanation.

@waltjones waltjones merged commit 71c2736 into rollbar:master Dec 11, 2020
@csutter csutter deleted the csp-always-add-nonce branch December 11, 2020 13:40
@waltjones
Copy link
Contributor

Released in v3.1.2. Apologies for the delay.

@pcasaretto pcasaretto mentioned this pull request Mar 23, 2021
Open
@pcasaretto
Copy link

pcasaretto commented Apr 22, 2021
edited
Loading

I belive this update did in fact break our app.
The end result was that SecureHeaders added the nonce directive to the enforcing CSP header, at which point the browser ignored the unsafe-inline directive (as it should). This caused all inline script tags (everything but the rollbar script tag itself) without nonces to be ignored.
I do believe this behavior is a bug with secure headers itself, and I'm currenly discussing it with the author. But because of that, I believe this was a breaking change.

@waltjones
Copy link
Contributor

waltjones commented Apr 23, 2021
edited
Loading

@pcasaretto Thank you for reporting this. I took a close look today, read your linked issue, and reviewed the CSP1 and CSP2 specs. I don't think reverting this works out well, as there are then a new set of issues. I'll work on a PR and link it here. Please feel free to give feedback there.

@waltjones waltjones mentioned this pull request Apr 28, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@waltjones waltjones waltjones approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CSP incorrectly skips adding nonce when unsafe-inline is set
3 participants
@csutter @waltjones @pcasaretto