[#38291] - Keyword {nonce} should cover script-src-elem in J4 System Http-Header plugin
- Closed
- 21 Jul 2022
- Medium
- Build: 4.2-dev
- # 38291
At the moment, many third party plugins are still not CSP friendly. They write inline <script> to the html body or use inline event handler sparingly.
Firefox does not support script-src-elem, script-src-atr nor 'unsafe-hashes'. Inline event handler, e.g. onload, requires 'unsafe-hashes' to pass.
The only definition that will work for Firefox is script-src: 'self' 'unsafe-inline'. But this defeats the whole purpose of Content Security Policy and this http-header plugin.
To have the maximum CSP protection across browsers, the following configuration is desired:
script-src: 'self' 'unsafe-inline'
script-src-elem: 'self' {nonce} and 'sha256 hashes' for inline <script>
script-src-atr: 'unsafe-hashes' 'sha256 hashes' for inline event handler.
The definition for script-src is for browsers like Firefox that does not support script-src-atr and 'unsafe-hashes'
The definition for script-src-elem and script-src-atr are for browsers like Chrome and Edge. sha256 can be calculated manually.
Unfortunately, as far as J4 4.1.5 is concerned, {nonce} keyword is applicable to only script-src and style-src.
If we can make {nonce} also applicable to script-src-elem, then we will have a short-term workaround that make the best use of http-header.
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
I don't know if relevant. Check yourself: The {nonce} placeholder has been removed in 4.2-dev and more changed/adapted.
I have gone through them but I am worry that Firefox will still break because for inline event handler (onclick, onload etc), CSP requires 'unsafe-hashes' which Firefox does not support. So if nonce are generated under "script-src", any 'unsafe-inline' there will be voided and Firefox will refuse to execute those inline event handler.
To work across browsers, it should be selectable to put the nonce under "script-src-elem" for Chrome and Edge, and keep 'unsafe-inline' in "script-src". Otherwise Firefox will probably stop to run properly for J4 sites with CSP.
I have modified the module such that nonce are generated under "script-src-elem" and I do not get any compliant now from Chrome, Edge and Firefox
.
As mentiond in the other issue we are most likely need to add the two directives to the array here and we are good to go, but i have not tested it yet https://github.com/joomla/joomla-cms/blob/4.2-dev/plugins/system/httpheaders/httpheaders.php#L119-L128
As mentiond in the other issue we are most likely need to add the two directives to the array here and we are good to go, but i have not tested it yet https://github.com/joomla/joomla-cms/blob/4.2-dev/plugins/system/httpheaders/httpheaders.php#L119-L128
That was exactly what I have done in v 4.1.5: change the directive to script-src-elem in the array. Will take a look at the code for 4.2 to see whether that will be as simple as 4.1.5.
There should not be such major changes with 4.2 when that works please create an PR against 4.2-dev so it can be tested and shipped with an upcomming release.
There should not be such major changes with 4.2 when that works please create an PR against 4.2-dev so it can be tested and shipped with an upcomming release.
I am embarrassed to say I am not a qualified developer and have little experience working with git. :(
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-07-21 17:38:42 |
| Closed_By | ⇒ | zero-24 |
I don't know if relevant. Check yourself:
The {nonce} placeholder has been removed in 4.2-dev and more changed/adapted.
Issue: #37461
Pr: #37940
Pr: #37942