slackhq / csp-html-webpack-plugin

A plugin which, when combined with HTMLWebpackPlugin, adds CSP tags to the HTML output.
MIT License
164 stars 39 forks source link

No nonce values are showing up in the CSP string #107

Open tupton opened 2 years ago

tupton commented 2 years ago

Description

nonce values are being added to the script and style tags in my HTML, but the nonces aren't in the CSP string itself. This appears similar to https://github.com/slackhq/csp-html-webpack-plugin/issues/93 but I'm on Mac OS and I'm using the latest node v14.

I am using an HTML template. A minimal webpack config with this exact template does not exhibit the issue, which makes me think something about my more complex webpack config is preventing the nonces from being added to the CSP.

Curiously, hashes for inline scripts do show up in the CSP string, so it is definitely being generated.

What type of issue is this? (place an x in one of the [ ])

Requirements (place an x in each of the [ ])


Bug Report

I am using this config to generate a CSP.

  plugins: [
    new HtmlWebpackPlugin({
      template: 'src/www/index.tpl.html',
      inject: 'body',
      filename: 'index.html'
    }),
    new CspHtmlWebpackPlugin({
      'script-src': '',
      'style-src': ''
    }),
    // I am using other plugins after these: mini-css-extract-plugin, webpack.IgnorePlugin, copy-webpack-plugin, dotenv-webpack, webpack.ProvidePlugin
  ]

It results in a CSP like the following:

<meta http-equiv="Content-Security-Policy" content="base-uri 'self'; object-src 'none'; script-src 'sha256-ABCXYZ=' … 'sha256-123999'; style-src ">

That is: it creates a CSP using hashes for inline scripts, but there are no nonces for script-src or style-src. The nonce attribute is present in a number of <script> and <style> tags in the final HTML document.

Reproducible in:

slackhq/csp-html-webpack-plugin version: 5.1.0

node version: 14.19.3

OS version(s): Mac OS 12.4

Steps to reproduce:

  1. Use the above config to build the app.
  2. View the built index.html asset.

Expected result:

The CSP content to have the nonce values in it.

Actual result:

The nonce values are attached to the script and style tags but are not present in the CSP string itself.

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc.