Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always set the CSP JS nonce #10205

Closed
wants to merge 2 commits into from
Closed

Always set the CSP JS nonce #10205

wants to merge 2 commits into from

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Jul 11, 2018

Always set unsafe-inline for javascript as well. Newer browsers that
support the nonce will ignore this see

https://csp.withgoogle.com/docs/strict-csp.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

This means that older browsers will just execute the script but modern
browsers will check for the nonce and ignoring the unsafe-inline.
Basically this is the backwards compatibility mode.

Signed-off-by: Roeland Jago Douma roeland@famdouma.nl

@rullzer
Always set the CSP JS nonce
c654fc2 
Always set unsafe-inline for javascript as well. Newer browsers that
support the nonce will ignore this see

https://csp.withgoogle.com/docs/strict-csp.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

This means that older browsers will just execute the script but modern
browsers will check for the nonce and ignoring the unsafe-inline.
Basically this is the backwards compatibility mode.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer added this to the Nextcloud 14 milestone Jul 11, 2018
@rullzer rullzer requested a review from MorrisJobke July 11, 2018 19:22
@MorrisJobke
Copy link
Member

Please open the backport PR.

@MorrisJobke
Copy link
Member

MorrisJobke commented Jul 11, 2018
edited
Loading

  • Edge fails (IE11 & Safari works fine):

bildschirmfoto 2018-07-11 um 21 36 57

CSP14312: Resource violated directive 'script-src 'nonce-L1dYOGt6cVFKYVJOU2g4ZG96ajd6djNvWnVtd1h3NVlFck1NSkpnbU0raz06ejFhWTZYZjJSTkFJTUg1YjRIM0RtcHZRTjRENGEzODhLdU5BU2NCclJxYz0=' 'unsafe-inline' 'unsafe-eval'' in Content-Security-Policy: http://192.168.1.110:8000/index.php/apps/theming/js/theming?v=0. Resource will be blocked.

@rullzer
Convert function to a blacklist
38e4af8 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer
Copy link
Member Author

rullzer commented Jul 11, 2018

Bad edge! https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/

@MorrisJobke
Copy link
Member

We should make sure that it works on all those fancy built in browsers on Android and on the desktop to not break the login flow :/ Maybe add a little banner on top to see if the JS is not loaded - otherwise it feels strange because the buttons just don't work. A little message that is hidden by JS somehow?

@rullzer
Copy link
Member Author

rullzer commented Jul 11, 2018

ok lets not do this right away for 14. I need time to think to come up with a proper solution.

@rullzer rullzer removed this from the Nextcloud 14 milestone Jul 11, 2018
@rullzer rullzer closed this Jul 11, 2018
@rullzer rullzer deleted the fix/noid/always_set_js_nonce_and_allow_inline branch July 11, 2018 20:28
@rullzer rullzer mentioned this pull request Jul 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MorrisJobke MorrisJobke Awaiting requested review from MorrisJobke

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rullzer @MorrisJobke