WIP: feat: Enable CSP with nonce for Helix 5 #773
Conversation
andreituicu
requested review from
tripodsan,
davidnuescheler,
lkrapf,
trieloff and
rofe
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #773 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 45 46 +1
Lines 3651 3801 +150
==========================================
+ Hits 3651 3801 +150 ☔ View full report in Codecov by Sentry. |
|
Opening this PR in a WIP state, while I still work through the remaining TODOs to collect feedback and iterate in case there are changes needed. |
| checkResponseBodyForAEMNonce(res) && checkResponseBodyForMetaBasedCSP(res)) | ||
| ) | ||
| ) { | ||
| res.document = await unified() |
There was a problem hiding this comment.
not sure if we really should rewrite the provided HTML. and if so, with unified which might alter the html. maybe using a very simple text based parser that only understands minimal HTML and repaces the nonce tokens would less intrusive.
There was a problem hiding this comment.
I used unified because that what was used in processing the head.html, which allowed me to keep the same codebase for processing both the document based and the static html and I like how it works with selectors.
Indeed, it does alter the resulting HTML, it makes it canonical (e.g. from the point of view of spaces, indentation, <SCRIPT> -> <script>, etc.).
very simple text based parser that only understands minimal HTML and repaces the nonce tokens would less intrusive.
Would you have any in mind that I could try out? Intuitively, I would expect that any parser when serialising back to canonicalise, since otherwise it would be very hard to store all the nuances of the original HTML.
If we want to keep the customer's HTML untouched except for the nonce generation, we could try a regex approach.
I usually avoid regexes for this kind of processing, because I'm not good at them, they become hard to maintain troubleshoot and I've seen Kodiak complain about ReDos, which means they could be slow for certain files.
Did a quick try with
res.body.replace(/(<script\b[^>]*\bnonce=")aem(")/ig, `$1${nonce}$2`)
.replace(/(<style\b[^>]*\bnonce=")aem(")/ig, `$1${nonce}$2`)
.replace(/(<link\b[^>]*\bnonce=")aem(")/ig, `$1${nonce}$2`)
.replace(/(<meta\b[^>]*'nonce-)aem(')/ig, `$1${nonce}$2`)
.replace(/(<meta\b[^>]*'nonce-)aem(')/ig, `$1${nonce}$2`) //can appear twiceI can't speak for all customers, but personally, as a developer, I think I would like that if I drop some messy HTML in github that I copied from somewhere I get a clean one when looking through the delivery service.
| // CSP with nonce | ||
| if ( | ||
| (metaCSP && metaCSP.properties.content.includes(NONCE_AEM)) | ||
| || (headersCSP && headersCSP.includes(NONCE_AEM)) |
There was a problem hiding this comment.
would it be possible that a header uses double quotes?
There was a problem hiding this comment.
No, it is not possible. I tried it out both as meta tag and as header resulting the browser will show the following error and a blank page, because no script loads.
The source list for the Content Security Policy directive 'script-src' contains an invalid source: '"nonce-r4Nd0mmm"'. It will be ignored.
|
This PR will trigger a minor release when merged. |
1. Description
'nonce-aem'.Meta:
Header
nonce="aem"on:head.htmlExample:
move-as-headerattribute for the meta based CSP, where the Helix Pipeline will that tag as a headerNote: if this feature is premature, I can remove it and file it as a separate PR
Example:
aempart of thenonce-aemCSP and on each trusted script where it findsnonce="aem"2. Implementation choice
After some back and forth between:
'nonce'vs'nonce-aem'as a keyword in the CSP'nonce="aem"or not to the scripts, to make it as friction-less and transparent as possible for devs.I chose for the moment
'nonce-aem'and needing to add'nonce="aem"to the scripts, because in this implementation if there's any reason to deactivate/remove or if the hlx pipeline fails to render the nonce, customers that have this enabled will still have a valid page that is rendered by the browser.In the other variants, if for any reason
'nonce'is returned the browser will show just a white page.3. Expected level of protection with a nonce cached on the CDN
1. Protected even if the nonce is cached
✅
.innerHTMLfor XSS✅
.outerHTMLfor XSS✅
.insertAdjecentHTMLfor XSS✅
.setHTMLUnsafefor XSS✅
eval/setTimeout/setInterval/ Function for XSS✅
javascript:protocol in the href/src attributes✅
location.href/location.assign()/location.replacefor XSS✅ attribute event handlers (
onclick,onblur,onload,onerroretc.) for XSS✅ stored/reflected XSS
2. not protected, because the nonce is cached
❌
document.write/document.writeln-> because you could get the nonce and use it in the exploit3.not protected for other reasons
❌
document.createRange().createContextualFragment-> whether the nonce is cached/known is irrelevant, scripts are always executed withstrict-dynamic. (needs ticket in https://github.com/w3c/webappsec-csp - awaiting OSS approval)❌
srcattribute of a<script>tag created bydocument.createElement('script')/ text content of a<script>tag created bydocument.createElement('script')/import-> permitted bystrict-dynamic4. not protected by CSPs in general
Script-less attacks
❌ HTML injection
❌ DOM clobbering
5. unknown status
❓
element.styleorcssText-> still researching, can’t find a working exploit even without CSP4. Still TODO
5.xbranch.hlx-pipeline-version)