Skip to content

Fix CSP for script-src with nonce on edge #43778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
juliusknorr merged 3 commits into from
Mar 8, 2024
Merged

Fix CSP for script-src with nonce on edge #43778

juliusknorr merged 3 commits into from
Mar 8, 2024

Conversation

@juliusknorr
Copy link
Member

@juliusknorr juliusknorr commented Feb 23, 2024
edited
Loading

This fixes issues that may occur using MS Edge where the usage of a nonce for script-src was not indicated in the CSP headers.

https://learn.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-guidance

Short summary for the user agent pattern, Edg/<Version> is the new way to detect instead of Edge/<Version>

  • fix: Adjust user agent pattern for Edge
  • fix: Add edge as supported user agent for CSPv3 nonces
  • fix: Allow nonce in csp header also if no other reasons are given

Checklist

@juliusknorr juliusknorr mentioned this pull request Feb 23, 2024
Closed
@juliusknorr juliusknorr requested review from a team, ArtificialOwl, blizzz, nickvergessen, sorbaugh and susnux and removed request for a team February 23, 2024 09:56
@juliusknorr juliusknorr added bug 3. to review Waiting for reviews labels Feb 23, 2024
@susnux
Copy link
Contributor

susnux commented Feb 23, 2024

Alternative would be to throw away browserSupportsCspV3 and instead always use the nonce #10207

It seems like all our supported browsers support CSP nonce, if you find a browser that does not it probably will also not be able to parse our JS code.

@juliusknorr
Copy link
Member Author

juliusknorr commented Mar 8, 2024

Makes sense, I'd still like to keep the commits here to be able to backport them to 28 and only do the full removal for master then.

@susnux
Copy link
Contributor

susnux commented Mar 8, 2024

Makes sense, I'd still like to keep the commits here to be able to backport them to 28 and only do the full removal for master then.

Sounds good, so just fixup the commits :)

@juliusknorr juliusknorr merged commit 9522ef8 into master Mar 8, 2024
@juliusknorr juliusknorr deleted the fix/edge-csp branch March 8, 2024 13:51
@juliusknorr
Copy link
Member Author

juliusknorr commented Mar 8, 2024

/backport to stable28

@backportbot backportbot bot mentioned this pull request Mar 8, 2024
Merged
@Altahrim Altahrim mentioned this pull request Mar 12, 2024
Merged
@Orchal
Copy link

Orchal commented Mar 28, 2024

Hi, it should, the pull request has been merged! I did not test yet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@susnux susnux susnux approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@blizzz blizzz Awaiting requested review from blizzz blizzz is a code owner automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@juliusknorr @susnux @Orchal @nickvergessen