search

bnomei / kirby3-security-headers

Kirby Plugin for easier Security Headers setup
https://forum.getkirby.com/t/kirby3-security-headers-best-practice-headers-nonce-csp-and-feature-policies/23583
MIT License
26 stars 2 forks source link

<style> doesn't respect $site->nonce() #19

Closed S1SYPHOS closed 3 years ago

S1SYPHOS commented 4 years ago

Hey there, when playing around with your plugin, I noticed that $site->nonce() works for CSS files (via <link> tag) and JS files (via <script> tag), but not for inline CSS via <style> - which is odd ..

My code looks like this:

<?php if (!option('debug')) : ?>
<?php
    # Production = Minified inline CSS
    $cssPath = $kirby->root('assets') . '/styles/main.min.css';
    $css = F::read($cssPath);
?>
<style nonce="<?= $site->nonce() ?>"><?= $css ?></style>

<?php else : ?>

<?php
    # Development = Unminified CSS file
    $cssPath = '/assets/styles/main.css';
    $css = Bnomei\Fingerprint::css($cssPath, [
        'nonce' => $site->nonce(),
        'integrity' => true,
    ]);

    echo $css;
?>
<?php endif ?>

<?php
    $jsFile = option('debug') ? 'main.js' : 'main.min.js';
    $jsPath = '/assets/scripts/' . $jsFile;

    echo Bnomei\Fingerprint::js($jsPath, [
        'nonce' => $site->nonce(),
        'defer' => true,
        'integrity' => true
    ]);
?>

The only part failing me is <style nonce="<?= $site->nonce() ?>"><?= $css ?></style> - which I cannot explain ..

S1SYPHOS commented 3 years ago

@bnomei any idea? I guess I'm doing something wrong - smells fishy ..

bnomei commented 3 years ago

what means "does not work"? is the string not printed? otherwise most modern browsers do not allow styles with nonces IF a hash is set in CSP headers.

some console error like this should be visible

Refused to execute inline script because it violates the following Content Security Policy directive

bnomei commented 3 years ago

Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

and the csp plugin does set at least one hash (the kirby panel one)

S1SYPHOS commented 3 years ago

I guess disabling the panel nonce generation would be the way to go then. From a frontend perspective, it seems optional to have a panel nonce imho

Will report back later!

S1SYPHOS commented 3 years ago

what means "does not work"? is the string not printed? otherwise most modern browsers do not allow styles with nonces IF a hash is set in CSP headers.

some console error like this should be visible

Refused to execute inline script because it violates the following Content Security Policy directive

Is it therefore impossible to secure <style> tags with nonces only? I don't see how that would be done ..

bnomei commented 3 years ago

some information about unsafe scripts/stlyes and nonces...

see this issue https://github.com/bnomei/kirby3-security-headers/issues/23 if you set a nonce you can not have unsafe inline script/style.

the plugin will set 1) a nonce from panel (if enabled) and 2) using bnomei.securityheader.seed a nonce for site()->nonce(). so to have unsave inline script/style by default. you need to set seed to false.

S1SYPHOS commented 3 years ago

Thanks @bnomei !