Plugin causes CSP (Content Security Policy) violations, cannot use CSP block and ID-card signing functionality at the same time

[tiblu]

Problem

A website wanting to support ID-card signing cannot use CSP to block on policy violations because Token Signing plugin will not work if the CSP is set to block.

Example:

{ 
   "blocked-uri":"inline",
   "column-number":44,
   "document-uri":"https://app.citizenos.com/",
   "line-number":128,
   "original-policy":"default-src 'self' 'report-sample'; img-src *; script-src 'self' https://cdn.crowdin.com https://apis.google.com https://www.google-analytics.com 'report-sample'; style-src 'self' https://fonts.googleapis.com 'sha256-swnxFqaff0i3bsLtJDRpMd5tZFLBnglxSxSqPSAWdIk='; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://id.citizenos.com https://api.citizenos.com https://sentry.io https://graph.microsoft.com https://www.google-analytics.com; base-uri 'self'; object-src 'none'; frame-src https://p.citizenos.com/ https://accounts.google.com/ https://docs.google.com; report-uri https://api.citizenos.com/api/internal/report",
   "referrer":"",
   "script-sample":"// Promises \nvar _eid_promises = {}; \n//…",
   "source-file":"moz-extension://d6dfd14d-b72d-49dc-8586-53ec01e217dd/content.js",
   "violated-directive":"script-src"
}

Reproduce

• Download latest Firefox
• Install Estonian ID-card software
• Visit https://app.citizenos.com
• Create a Topic
• Send the Topic to Voting, configure Hard ID voting.
• Vote with ID-card and see console for CSP reports.

Fix?

• Rewrite plugin so that it does not use eval() directly or indirectly - https://github.com/open-eid/chrome-token-signing/blob/master/extension/content.js#L52

Resources

• Chrome extensions and CSP - https://developer.chrome.com/extensions/contentSecurityPolicy
• CSP - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

[taneltm]

The extension needs to inject the TokenSigning function so that we don't break the implementation on existing websites. What we can do is allow websites to add the page script by themselves and before the extension injects the page script, it checks the website if the code is already there.

The requirement would be that the script tag which loads the page.js code needs to have a data-name="TokenSigning" attribute.

<script src="path-to/page.js" data-name="TokenSigning"></script>

[tiblu]

The extension needs to inject the TokenSigning function so that we don't break the implementation on existing websites. What we can do is allow websites to add the page script by themselves and before the extension injects the page script, it checks the website if the code is already there.

The requirement would be that the script tag which loads the page.js code needs to have a data-name="TokenSigning" attribute.

<script src="path-to/page.js" data-name="TokenSigning"></script>

Thanks for the info! If that works, fine by me.

[ilmartyrk]

Hi, thank you for this workaround @taneltm. Hope that your pull gets merged soon as adding page.js file works in chrome without any errors, but still triggers errors in Firefox and Safari. At least functionality is now working and ID-card is still usable

[kinomehhaanik]

We could not reproduce the problem: signing with ID-card in Firefox was successful in Windows and macOS. Only situation where we met similar error message in the web developer console was when

• logging in with ID-card and
• opening My Account view in the app.citizenos.com website.

Has the citizenos.com website been changed meanwhile?

[ilmartyrk]

@kinomehhaanik we used the suggestion from @taneltm and copied the https://github.com/open-eid/chrome-token-signing/blob/master/extension/page.js into our own code, this allows the id plugin to work properly. I hope you can accept his pull and merge it into next release as it is a good way to get this plugin working on pages with CSP.