search

github / secure_headers

Manages application of security headers with many safe defaults
MIT License
3.15k stars 251 forks source link

`content_security_policy_nonce` calls Rails method so CSP does not contain nonce #511

Open jdudley1123 opened 11 months ago

jdudley1123 commented 11 months ago

Expected outcome

I am using GoodJob to process jobs on Rails 6. The GoodJob dashboard includes a number of scripts and styles. These all have nonces set using the content_security_policy_nonce method.

 <%= tag.script "", src: frontend_static_path(:bootstrap, format: :js, v: GoodJob::VERSION, locale: nil), nonce: content_security_policy_nonce %>

(link to code)

I would expect Secure Headers to set the nonce in the CSP header so that these scripts are permitted.

Actual outcome

No nonce is set in the CSP header. I think that Rails' own content_security_policy_nonce method is being called rather than the Secure Headers method of the same name. This means that the CSP set by Secure Headers doesn't include the nonce, and the scripts and styles are therefore not permitted.

I know that recommend practice when using Secure Headers is to use the nonced_javascript_tag method, but since this is in a gem I can't do that.

Possible related issues:

Config

SecureHeaders::Configuration.default do |config|
  config.hsts = "max-age=#{1.year.to_i}; includeSubDomains; preload"
  config.x_frame_options = 'DENY'
  config.x_content_type_options = 'nosniff'
  config.x_xss_protection = '1; mode=block'
  config.x_download_options = 'noopen'
  config.x_permitted_cross_domain_policies = 'none'
  config.referrer_policy = %w[origin-when-cross-origin
                              strict-origin-when-cross-origin]
  config.csp = {
    default_src: %w['none'],
    script_src: %w['self' http://www.google-analytics.com],
    connect_src: %w['self'],
    frame_ancestors: %w['none'],
    font_src: %w['self' data: https://fonts.gstatic.com],
    img_src: %w['self' data: https://validator.swagger.io],
    style_src: %w['self' https://fonts.googleapis.com],
  }
end

Generated headers

default-src 'none'; connect-src 'self'; font-src 'self' data: fonts.gstatic.com; frame-ancestors 'none'; img-src 'self' data: validator.swagger.io; script-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com
adeherdt-r7 commented 1 month ago

I am running into a similar problem. We use something like this to inject nonce headers:

  def include_gon_jquery(opts={})
    opts.merge!(need_tag:false)

    init_gon = <<eos
    jQuery(function($){
      #{Gon::Base.render_data(opts)}
    })
eos

    nonced_javascript_tag init_gon
  end

And Firefox keeps reporting that this is being blocked because of the Content-Security-Policy. This is our configuration:

  config.csp = {
    default_src:      %w('self'),
    img_src:          %w('self' data:),
    frame_src:        %w('self'),
    connect_src:      %w('self' https://mydomain.com),
    font_src:         %w('self'),
    media_src:        %w('self'),
    object_src:       %w('self'),
    style_src:        %w('self' 'unsafe-inline' 'inline'),
    script_src:       %w('self' 'unsafe-eval' 'eval' 'nonce'),
    script_src_elem:  %w('self' 'unsafe-eval' 'eval' 'nonce'),
  }

The core problem seems to be that the nonced_javascript_tag is not setting the correct nonce value inside the CSP header, as the browser doesn't have the value. Checking the source code however does reveal that the generated <script> tag contains the nonce value.

adeherdt-r7 commented 1 month ago

I'd like to add that this issue was a Firefox problem for me, and actually caused by caching. Wiping out the cache in Firefox and forcing a hard reload made it all work.