Skip to content

Allow setting strict-dynamic on strict-src-elem and set it by default #41571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
susnux merged 2 commits into from
Nov 17, 2023
Merged

Allow setting strict-dynamic on strict-src-elem and set it by default #41571

susnux merged 2 commits into from
Nov 17, 2023

Conversation

@susnux
Copy link
Contributor

@susnux susnux commented Nov 17, 2023
edited
Loading

Summary

Add a function to set 'strict-dynamic' to script-src-elem only which allows setting it with less weaken the CSP.
This is required for modern JS code that uses import which does not allow to use nonces (there is simply no way to set a nonce on import). Chrome then enforces the nonce rule and fails because there is none.
So instead of setting 'strict-dynamic' on every script source we only trust scripts provided with <script> tags by default and only if they have the nonce set.

Checklist

@susnux susnux added 3. to review Waiting for reviews security labels Nov 17, 2023
@susnux susnux requested review from a team, ArtificialOwl, juliusknorr, nfebe, nickvergessen and sorbaugh and removed request for a team November 17, 2023 10:12
@susnux
feat(ContentSecurityPolicy): Allow to set strict-dynamic on `script…
7df9eb3 
…-src-elem` only

This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.

Signed-off-by: Ferdinand Thiessen <[email protected]>
@susnux susnux force-pushed the fix/allow-strict-dynamic-elem branch from b137a35 to c209295 Compare November 17, 2023 10:12
@susnux susnux added this to the Nextcloud 28 milestone Nov 17, 2023
@susnux
Copy link
Contributor Author

susnux commented Nov 17, 2023

Backports requested where applicable (ex: critical bugfixes)

We added support for this with NC27 but I do not think we should backport the default change. Opinions?

@susnux
fix!(ContentSecurityPolicy): Make strict-dynamic enabled by default…
e231abd 
… on `script-src-elem`

Signed-off-by: Ferdinand Thiessen <[email protected]>
@susnux susnux force-pushed the fix/allow-strict-dynamic-elem branch from c209295 to e231abd Compare November 17, 2023 13:42
@susnux
Copy link
Contributor Author

susnux commented Nov 17, 2023

Fixed one test I forgot to update.

@susnux susnux mentioned this pull request Nov 17, 2023
Merged
@susnux
Copy link
Contributor Author

susnux commented Nov 17, 2023

Documentation: nextcloud/documentation#11291

@susnux susnux merged commit 4fa2749 into master Nov 17, 2023
@susnux susnux deleted the fix/allow-strict-dynamic-elem branch November 17, 2023 17:03
@blizzz blizzz mentioned this pull request Nov 20, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@nfebe nfebe Awaiting requested review from nfebe nfebe is a code owner automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews security

Projects

None yet

Milestone

Nextcloud 28

Development

Successfully merging this pull request may close these issues.

4 participants

@susnux @AndyScherzinger @juliusknorr