Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Content-Security-Policy headers via nonce attribute of script/style tags, to avoid need for unsafe-inline CSP rule #512

Open
RudolfCardinal opened this issue May 3, 2021 · 4 comments

Comments

@RudolfCardinal
Copy link
Contributor

Setting the Content-Security-Policy (CSP) HTTP header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy), which is a good thing, means that inline <script> and <style> tags will be blocked by the browser unless either the unsafe-inline CSP policy is used, which is a bad thing, or a hash or nonce is used. Of those, the nonce method is simpler. That requires <script nonce="NONCE_FOR_THIS_RESPONSE"> and <style nonce="NONCE_FOR_THIS_RESPONSE">, matching the value of the nonce set in the response CSP header.

I don't think Deform supports this at present, and so some of its scripts/styles are blocked in this security environment. Would nonce support be reasonable to add? I imagine that Form could take a nonce parameter (default None); if present, its value could be propagated through all Deform .pt templates.

@RudolfCardinal
Copy link
Contributor Author

Improved with the new code above. However, in the Sequence widget, there are also prototype pieces of code that get cloned by Deform and evaluated ("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script...") and dynamic style rewriting by jQuery ("Refused to apply inline style because it violates the following Content Security Policy directive..."). I'm not sure how those should best be handled.

@RudolfCardinal
Copy link
Contributor Author

Requirement for evaluating Javascript removed (along with a bugfix) in latest commit just now. The jQuery "inline style" problem remains but perhaps that will go with a later jQuery version as per #511.

@stevepiercy
Copy link
Member

Thank you for the PR @RudolfCardinal. Please allow me a few days until I have the opportunity to review and think this over. I need to think about additional functional tests, as well as handling the sequence widgets and dynamic style rewriting.

Meanwhile if you have not yet done so, would you please sign https://github.com/Pylons/deform/blob/main/CONTRIBUTORS.txt?

Also the lint build fails on isort in CI: https://github.com/Pylons/deform/pull/513/checks?check_run_id=2499763731 and needs to pass before I can accept it.

@RudolfCardinal
Copy link
Contributor Author

Thanks -- I've tried again via $TOX -e format and it is happy locally -- fingers crossed for the autotests. I've signed the contributors statement too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants