Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add global config for nonce (and hash) application #475

Closed
wants to merge 1 commit into from
Closed

Add global config for nonce (and hash) application #475

wants to merge 1 commit into from

Conversation

pcasaretto
Copy link

  • Has tests
  • Documentation updated

Fixes #470

Hi there!

Sorry for the long hiatus.
I'm opening this as is to get feedback on the proposal.
I've added a test case for my current scenario and it is currently passing.

However, I'm unsure what to do for some other scenarios.
I've put togueter a table with all possible combinations and marked the ones I'm unsure with "?"
This is assuming a call was made to content_security_policy_script_nonce

CSP Config Report Only Config Apply Config Result
PRESENT PRESENT nil nonce added to both
PRESENT PRESENT :both nonce added to both
PRESENT PRESENT :enforced nonce added to enforce
PRESENT PRESENT :report_only nonce added to report_only
PRESENT OPT_OUT nil nonce added to enforce
PRESENT OPT_OUT :both ?
PRESENT OPT_OUT :enforced nonce added to enforce
PRESENT OPT_OUT :report_only ?
OPT_OUT PRESENT nil nonce added to report_only
OPT_OUT PRESENT :both ?
OPT_OUT PRESENT :enforced ?
OPT_OUT PRESENT :report_only nonce added to report_only
OPT_OUT OPT_OUT nil ?
OPT_OUT OPT_OUT :both ?
OPT_OUT OPT_OUT :enforced ?
OPT_OUT OPT_OUT :report_only ?

@pcasaretto
Copy link
Author

ping @oreoshake

@oreoshake
Copy link
Contributor

Apologies, this fell off my radar. I'd have to dig around a little more to make sure there wouldn't be side effects to these decisions and I remember having a little trouble keeping the edge cases in mind here. But at a quick glance, this would be my first guess at desired behavior.

CSP Config Report Only Config Apply Config Result

PRESENT OPT_OUT :report_only ?
OPT_OUT PRESENT :enforced ?
OPT_OUT OPT_OUT :both ?
OPT_OUT OPT_OUT :enforced ?
OPT_OUT OPT_OUT :report_only ?

Raise an error? These entries all seem contradictory.

PRESENT OPT_OUT :both ?
OPT_OUT PRESENT :both ?

Raise an error? While these are partial contradictions, it could lead to surprising behavior. I would also accept a noop. Something about :both being partially inaccurate seems to be worse than e.g. OPT_OUT OPT_OUT :enforced which doesn't seem to make a lot of sense in my head.

OPT_OUT OPT_OUT nil ?

Noop? No lies were told here. Because the default value is nil, raising an error in this case would require someone to opt out of CSP three times 😄

Again, apologies if I'm way off here but have we considered having two separate values that would both need to be set rather than this report_only/enforced/both situation? I think that would give us an a strong case for raising errors for all of these question marks.

Thanks for the issue, PR, and followup @pcasaretto. This is back on my radar.

@pcasaretto
Copy link
Author

For transparency: I've left the company I was working for and this is no longer a priority for me.
I'm closing it for now.

@pcasaretto pcasaretto closed this Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

nonced tag helpers including nonce directive in csp has potential to break applications
2 participants
@pcasaretto @oreoshake