I want to allow the internal Rails :back link functionality for my application with an active Content-Security-Policy.
CSP:
%meta{"http-equiv" => "Content-Security-Policy", "content" => "default-src *;"}
Example link:
= link_to 'Back', :back
# Back *
* Rails links to the referer and only if no referer is set falls back to JS.
How can I whitelist only this tiny history.back() piece of javascript?
I tried to set an exception as described in https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage and generated the required hash like this:
echo -n "history.back()" | openssl dgst -sha256 -binary | openssl enc -base64
Result:
%meta{"http-equiv" => "Content-Security-Policy", "content" => "default-src *; script-src 'self' 'sha256-LdlORHyUW/rwezK0l13nW+IwcZmi78eWOCBjewMWRr4='"}
But the Chrome console displays the same error what means the hash is invalid:
Refused to execute JavaScript URL because it violates the following
Content Security Policy directive: "script-src 'self'
'sha256-SmahML3R6+R4SRnsB6tEJ8Z4OVa4Qhk7A/gv3eAiG6s='". Either the
'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
('nonce-...') is required to enable inline execution.
Hash-whitelisting inline code oder inline styles is not possible with an active Content Security Policy. The above example would only work if history.back() was the content of a script-tag like this:
<script>history.back()</script>
Chrome's error message is misleading, because it suggests using the hash method for whitelisting the inline code which is actually not supported.
The same applies for inline styles like style="display:none" (used for example in nested_form gem).
The use of unsafe-inline was no option for my project. So I solved these rare problems by monkey patching the class or module to use different markup (for example class="hidden") plus some additional external javascript where required but of course there are drawbacks when updating the affected gems.
You can also move the JS to an external file on your server and include it with <script src=...>. Your CSP allows *, so also your own origin ('self'). Then use unobtrusive JavaScript to react to a click on the link. Here's the idea: http://guides.rubyonrails.org/working_with_javascript_in_rails.html#unobtrusive-javascript
Related
Link to extension: https://chrome.google.com/webstore/detail/pojodomdlpobompicdllljgiomnfpmho
Link to development version: https://github.com/misswell/octoman-weibo-backup
Problems:
To use this plugin, you need to login into your Weibo account first, otherwise, there will appear a line of text as shown in the screenshots below: "验证出错,请点击此链接,然后返回重试。(Error in verification, please click this link and then return to retry.)"
Under normal circumstances, after logging in and refreshing the page, this line of text will disappear, and "立即停止 (Stop Now)" will turn into "下载 (Download)", then it works normally.
I have been using it for more than a year without problems, but recently I don't know if it's because of Chrome update, this line of text can't be removed in any way.
enter image description here
The whole description of the error:
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Context
popup.html
Stack Trace
popup.html:1 (anonymous function)
enter image description here
I've tried to added ""content_security_policy": "script-src 'self' ", but it didn't work.
Ok, im just lost. I opened an electron start app and added one simple code, to console log on button press. The function is in a file renderer.js and in being called in in my index.html. Why when I press the button
I get this message ....
Refused to execute inline event handler because it violates the following Content
Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a
hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
Why would I not be allowed to execute something inline? An external source seems more vulnerable. Can anyone clear this up for me please?
Content Security Policy is using to avoid XSS based attacks in browser.In electron the background is running in a chrome engine, so the code is actullay running in a chromium browser.This browser is prone to all security issues that a browser is having
What is Content-Security-Policy?
Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.
you can add the following code at the top of HTML to avoid the content security issue. this new header will allow the inline code to execute
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
What this meta tag will do ?
Allows
With the above CSP policy, the following are allowed to load and execute in the browser:
<!-- allowed by 'self' -->
<script src="/js/some-file.js"></script>
<!-- allowed by https://js.example.com -->
<script src="https://js.example.com/file.js"></script>
Blocks
The Example Policy above will block the following from loading or executing in the browser:
<script src="https://attacker.example.com/file.js"></script>
I have a single page application (built in .net core MVC 2.2), where html section are loaded on the fly.
On main document, added CSP policy with a dynamically generated header looks like:
Content-Security-Policy: script-src 'self' 'nonce-I64vb811BxRNGV9Xf0pM'
Then comes a page section loaded via jquery ajax load function. page section contains a script (from src) with a nonce. Page section served with CSP header looks like
Content-Security-Policy: script-src 'self' 'nonce-ci5TQsyidT8x2jwBLRHS'
all good but browsers (chrome, safari blocking the script), with message:
jqueryscriptsbundle.js:formatted:43 Refused to execute inline script
because it violates the following
Content Security Policy directive: "script-src 'self' 'nonce-I64vb811BxRNGV9Xf0pM'
So browser is comparing nonce of script i.e. ci5TQsyidT8x2jwBLRHS with root/main page nonce value I64vb811BxRNGV9Xf0pM hence script blocked.
Is it correct behavior ? What can I do to make it work?
Your initial CSP, loaded with the page, provides a nonce. What you're trying to do is add another nonce, via Ajax, after the initial page load. CSP explicitly doesn't allow this; that's not a bug -- it's the entire point.
What you might do is allow a script-src of strict-dynamic. This allows you to authorize a script, and anything loaded by that script is also authorized. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
I am in the process of adding CSP headers to a site that has a long way to go before it can adopt a strict policy. There are quite a few inline scripts, so I am using nonce- to allow specific inline scripts. I have found that it doesn't work on the onload attribute of a script tag with src. Here's an example:
// header:
Content-Security-Policy: script-src self https: 'nonce-d3adbe3fed'
<script async defer src="https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.9.1/underscore-min.js" nonce="d3adbe3fed" onload="console.log('onload', _.VERSION)"></script>
Full working demo at https://brave-pasteur-0d438b.netlify.com/
Chrome gives the following error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src self https: 'nonce-d3adbe3fed'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
The message suggests that it should be possible to enable inline event handlers with a nonce, but as far I as I can tell, nonce is only intended to work on inline scripts.
This is just a demo, but the use case is an async/deferred tracking script which loads the tracking library, then in the onload handler makes a tracking call to the loaded library.
Is it possible to use a nonce on an onload or other event handler attribute, or will I need to change my implementation? Using script-src 'unsafe-inline' or script-src-attr 'unsafe-inline' is not an option, as those are the vulnerabilities I am specifically trying to address. And putting the contents of the onload handler into a separate script following the script tag is also not an option because the script is async deferred, and needs to stay that way.
If there is a way to use nonce on an inline handler, I will accept an answer that demonstrates it. Unfortunately, at the time of writing, I don't think there is.
As a workaround, the following script exhibits the same behavior and timing as an script with async/defer and an onload handler, while satisfying the specified CSP policy:
<script nonce="d3adbe3fed">
let s = document.createElement('script');
s.src = 'https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.9.1/underscore-min.js';
s.onload = () => console.log(_.VERSION);
document.documentElement.appendChild(s);
</script>
Of course, the long term solution is to eliminate inline scripts completely, but in the short term that isn't always feasible, and it is better to implement a more lax policy quickly, than to put it off and have no CSP at all.
As previously noted nonces won't work (at least at the moment - January of 2023) for inline JS event handlers - but you can use the less safe unsafe-hashes option if you can't or don't want to change your inline script. The procedure is below.
Generate your hash using this command:
echo -n "console.log('onload', _.VERSION)" | openssl dgst -sha256 -binary | openssl base64
and then use it like:
Content-Security-Policy: script-src 'unsafe-hashes' 'sha256-YOUR_HASH_HERE';
in this case the hash YOUR_HASH_HERE would be: is6kBKp90zgPWiqfkihufUS6bhRViGwlIg8RlEV7MgA=
I have a page that I set the script-src of the content security policy like this:
script-src 'self' *.uservoice.com *.intuit.com ajax.googleapis.com localhost:*
When I load the page with a hard-coded inline script I have created myself to test, it is blocked like expected:
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self'
*.uservoice.com *.intuit.com ajax.googleapis.com localhost:* ". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
('nonce-...') is required to enable inline execution.
However, when I insert a new script tag dynamically, the script isn't blocked, for example, this still executes:
$("body").append("<script>alert('xss');</script>")
I am using Chrome as the browser here for testing. I was hoping that this script would be blocked as well, since that would really help to prevent xss. Is there something I can change to block this type of script injection as well?
The script you add with append or innerHtml won't be executed unless you use eval(). So it's not violating CSP.
Although this may look like a cross-site scripting attack, the result is harmless. HTML5 specifies that a tag inserted via innerHTML should not execute. 1
See script elements inserted using innerHTML do not execute when they are inserted.