[#37942] - [4.2] Improve nonce generation and add the nonce to included files too as well as improve generation
- Fixed in Code Base
- 18 Jun 2022
- Medium
- Build: 4.1-dev
- # 37942
- Diff
- zero-24:noncePerFileToo
User tests: Successful: Unsuccessful:
Pull Request for Issue #37461
Summary of Changes
Improve nonce generation and add the nonce to included files too as well as improve generation
Testing Instructions
First test
- enable the nonce generation as well as the CSP with report only
- check that the nonces are only added to inline style and inline scripts
- apply the patch
- note that the nonce is also added to JS / css files included locally
IMPORTANT: When you are checking the HTML with the nonce present in the header modern browsers will alter the sourcecode generated and remove the actuall nonce but only keep the nonce keyword. This is correct and shows that it worked correctly.
seccond test
- disable the nonce generation
- check that the nonces are added to inline JS and css
- apply the patch
- check that with that patch it is no longer added to inlinestyle and inlinejs with the nonce option disabled.
Actual result BEFORE applying this Pull Request
- Nonces are always set even when its not used in the CSP
- Nonces are only set to the inline js and inline css
Expected result AFTER applying this Pull Request
- Nonces are only rendered when also used within the CSP
- Nonces are also added to included JS files
Documentation Changes Required
n.a.
cc @sisko1990
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries Front End Plugins |
With nonce enabled, I get nonce values in the style-src directive without configuring {nounce} placeholder inside the style-src directive. With nonce disabled, I get no nonces inside the style-src directive.
@gopitzohlsen Does that mean you have successfully tested this pull request? If so, could you go to the issue tracker here https://issues.joomla.org/tracker/joomla-cms/37942 and use the blue "Test this" button at the top left corner? Just use the button, then select your test result and then submit. Thanks in advance.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37942.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37942.
| Labels |
Added:
?
|
||
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37942.
Same here, will move to 4.2. Thx
| Labels |
Added:
?
|
||
| Title |
|
||||||
| Labels |
Added:
?
Removed: ? |
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-06-18 17:18:55 |
| Closed_By | ⇒ | roland-d |
Thanks everybody
With nonce enabled, I get nonce values in the style-src directive without configuring {nounce} placeholder inside the style-src directive.
With nonce disabled, I get no nonces inside the style-src directive.