Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#38318] - Allow nonces to be set on the script-src-elem and style-src-elem

bug PR-4.3-dev ? Pending

User tests: Successful: Unsuccessful:

avatar zero-24
zero-24
21 Jul 2022

Pull Request for Issue #38291 cc @Urukhai18

Summary of Changes

Allow nonces to be set on the script-src-elem and style-src-elem

Testing Instructions

Setup an CSP directive with the script-src-elem directive as described here #38291

Actual result BEFORE applying this Pull Request

No nonce support for script-src-elem and style-src-elem

Expected result AFTER applying this Pull Request

Nonce support for script-src-elem and style-src-elem

Documentation Changes Required

n.a.

avatar zero-24 zero-24 - open - 21 Jul 2022
avatar zero-24 zero-24 - change - 21 Jul 2022
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 21 Jul 2022
Category Front End Plugins
avatar zero-24 zero-24 - change - 16 Aug 2022
Labels Added: ?
avatar fancyFranci
fancyFranci - comment - 22 Nov 2022

Can you please test this PR @Urukhai18 ? It should fix your issue :)

avatar ReLater
ReLater - comment - 23 Nov 2022

I'm a bit confused. The instructions say:

To have the maximum CSP protection across browsers, the following configuration is desired:
script-src: 'self' 'unsafe-inline'
script-src-elem: 'self' {nonce} and 'sha256 hashes' for inline <script>
script-src-atr: 'unsafe-hashes' 'sha256 hashes' for inline event handler.

and

Firefox does not support script-src-elem, script-src-atr nor 'unsafe-hashes'. Inline event handler, e.g. onload, requires 'unsafe-hashes' to pass.

But since the {nonce} placeholder has been removed from the httpheaders plugin (nonces can't be set to a specific rule and/or omitted from other rules) script-src: 'self' 'unsafe-inline' will not work in Firefox because the rule will be ignored if Nonces are activated globally.

Could we please get more detailed testing instructions for different browsers, how to insert script-src-elem elements into source codes and so on.

Maybe I'm wrong or just too stupid for these complex httpheader things.

avatar zero-24
zero-24 - comment - 23 Nov 2022

But since the {nonce} placeholder has been removed from the httpheaders plugin (nonces can't be set to a specific rule and/or omitted from other rules) script-src: 'self' 'unsafe-inline' will not work in Firefox because the rule will be ignored if Nonces are activated globally.

The nonce setting is just optional. Once the nonce are enabled on all nonce holding directives the nonce will be added.
See here its looping via the array updated above: https://github.com/joomla/joomla-cms/pull/38318/files#diff-a8f11118b94dd6a1a6a10a82c55426dd46b4ca2c246e6c34d6b2a8386a463c67L308

Its right but thats how the system is intended to work. When nonces are set the browser should ignore the hashes. The new directives are optional to be used and are not required to be used.

So the test is add the new directive, verfify that before it does not get the nonce, after this patch the nonce is set for the new directive too.

avatar zero-24 zero-24 - change - 18 Apr 2023
Labels Added: bug PR-4.3-dev ?
Removed: ?
avatar zero-24
zero-24 - comment - 4 Jun 2023

Will close it here for now, looks like a none issue to people other than me.

avatar zero-24 zero-24 - close - 4 Jun 2023
avatar zero-24 zero-24 - change - 4 Jun 2023
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2023-06-04 17:47:55
Closed_By zero-24
avatar ReLater
ReLater - comment - 4 Jun 2023

Sorry, but I simply didn't/don't understand the whole thing...

Add a Comment

Login with GitHub to post a comment