Why isn't this inline javascript blocked by content security policy? - javascript

I have a page that I set the script-src of the content security policy like this:
script-src 'self' *.uservoice.com *.intuit.com ajax.googleapis.com localhost:*
When I load the page with a hard-coded inline script I have created myself to test, it is blocked like expected:
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self'
*.uservoice.com *.intuit.com ajax.googleapis.com localhost:* ". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
('nonce-...') is required to enable inline execution.
However, when I insert a new script tag dynamically, the script isn't blocked, for example, this still executes:
$("body").append("<script>alert('xss');</script>")
I am using Chrome as the browser here for testing. I was hoping that this script would be blocked as well, since that would really help to prevent xss. Is there something I can change to block this type of script injection as well?

The script you add with append or innerHtml won't be executed unless you use eval(). So it's not violating CSP.
Although this may look like a cross-site scripting attack, the result is harmless. HTML5 specifies that a tag inserted via innerHTML should not execute. 1
See script elements inserted using innerHTML do not execute when they are inserted.

Related

Electron.js does not load jQuery due to security policy

I am trying to load jQuery in Electron (v. 16.0.0), but I get this error:
Inside the head element I have included this line:
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
Also, inside the body element, I am trying to load jQuery like this:
<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>
I have tried so many ways to find a solution for this, but to no avail. Previously, I also tried to load jQuery like this, but it gave me a similar error, shown below:
<script>window.$ = window.jQuery = require('./libraries/jQuery/jquery.min.js');</script>
Answers to a related question did not work for me either. What should I do?
The reason Electron, or any other Web browser that implements Content Security Policy, for that matter, would correctly refuse to load a script from an arbitrary origin (URL), or even an "inline" script (e.g. script text inside a script element), is because your security policy is explicitly specified to deny such attempts, with that meta element you said you added:
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
Why did you add it? Was it there by someone else's hand? Why is it there? It's the reason why Electron denies loading of the scripts in question.
The value of the content attribute above has the effect of instructing Electron to only allow loading scripts from the same origin as the origin of the document containing the meta element. That effectively excludes every other origin like https://code.jquery.com and inline scripts (which have to be allowed explicitly in this case because self denies these). Basically, the value is to be interpreted as "only allow loading scripts from the same site". Inline scripts are not considered as "same site".
Simpler put, you yourself prohibit loading of scripts from the kind of locations you then attempt to use, with that meta element.
You need to learn how Content Security Policy mechanism works and applies in your case. You will have to decide whether you want to allow loading of scripts from domains like code.jquery.com, or whether, for example, you will only want to allow loading scripts from your website, which in turn will probably necessitate you copying the JQuery library you want to use to be served by your website. You also will have to decide if you want to allow "inline" scripts on your site, for whatever reason you may consider necessary.
The security policy mechanism itself is very useful, don't shy away from it, it's there for a reason -- to help you prevent abuse of your site users by malicious scripts loaded by other malicious scripts or mechanisms. But you need to use it correctly, obviously.
You have 2 issues because of jQuery:
script-src 'self' does not allow to load script from https://code.jquery.com/jquery-3.6.0.min.js, that's why you observe Refused to load the script 'https://code.jquery.com/jquery-3.6.0.min.js'... error.
You have to adjust your CSP at least as script-src 'self' https://code.jquery.com;.
After page loads, the jQuery pick up all scripts having $() and place them into one inline script in the <head> section. That's why you observe Refused to execute inline script ... error.
This inline script can be resolved with either 'unsafe-inline' or 'unsafe-eval' or 'nonce-value'(for jQuery > 3.4).
Allowing 'unsafe-inline' is a very harmful advice, since such CSP will not protect against XSS at all (https://youtu.be/zlH_bBQMgkc?t=717).
Also Electron does not have the technical ability to refresh the 'nonce' value.
Therefore, the most secure CSP you can do is:
script-src 'self' 'unsafe-eval' https://code.jquery.com;
or much better:
default-src 'self'; script-src 'self' 'unsafe-eval' https://code.jquery.com;
Note: Contrary to a common misconception, 'self' does not mean the Same Origin Policy, CSP interprets 'self' much more broadly.

Electron Confusion about Security

Ok, im just lost. I opened an electron start app and added one simple code, to console log on button press. The function is in a file renderer.js and in being called in in my index.html. Why when I press the button
I get this message ....
Refused to execute inline event handler because it violates the following Content
Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a
hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
Why would I not be allowed to execute something inline? An external source seems more vulnerable. Can anyone clear this up for me please?
Content Security Policy is using to avoid XSS based attacks in browser.In electron the background is running in a chrome engine, so the code is actullay running in a chromium browser.This browser is prone to all security issues that a browser is having
What is Content-Security-Policy?
Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.
you can add the following code at the top of HTML to avoid the content security issue. this new header will allow the inline code to execute
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
What this meta tag will do ?
Allows
With the above CSP policy, the following are allowed to load and execute in the browser:
<!-- allowed by 'self' -->
<script src="/js/some-file.js"></script>
<!-- allowed by https://js.example.com -->
<script src="https://js.example.com/file.js"></script>
Blocks
The Example Policy above will block the following from loading or executing in the browser:
<script src="https://attacker.example.com/file.js"></script>

PHP/Apache: Refused to load the google "www.gstatic.com/charts/loader.js" script due to Content Security Policy

I am coding a PHP view that display Google charts, at DocumentRoot of Apache, in a single HTML it works, but when I put the same code inside the PHP page, the browser throws an exception like so:
It happens at calling the script by src tag:
Refused to load the script 'https://www.gstatic.com/charts/loader.js'
because it violates the following Content Security Policy directive: "default-src 'self'".
Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
It happens at in line script, the code is in the page:
Refused to execute inline script because it violates the following Content Security Policy directive:
"default-src 'self'". Either the 'unsafe-inline' keyword,
a hash ('sha256-gCemxHcM8ctzTMqVc2498nRLFHED+rKI4ZaErIVSSk0='),
or a nonce ('nonce-...')
is required to enable inline execution.
Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
My virtualhost is the following: php743.localhost.com
I have been looking for a solution for both inside the app and on Apache, but I could not fix it.
Any ideas?

Content Security Policy multiple nonce

I have a single page application (built in .net core MVC 2.2), where html section are loaded on the fly.
On main document, added CSP policy with a dynamically generated header looks like:
Content-Security-Policy: script-src 'self' 'nonce-I64vb811BxRNGV9Xf0pM'
Then comes a page section loaded via jquery ajax load function. page section contains a script (from src) with a nonce. Page section served with CSP header looks like
Content-Security-Policy: script-src 'self' 'nonce-ci5TQsyidT8x2jwBLRHS'
all good but browsers (chrome, safari blocking the script), with message:
jqueryscriptsbundle.js:formatted:43 Refused to execute inline script
because it violates the following
Content Security Policy directive: "script-src 'self' 'nonce-I64vb811BxRNGV9Xf0pM'
So browser is comparing nonce of script i.e. ci5TQsyidT8x2jwBLRHS with root/main page nonce value I64vb811BxRNGV9Xf0pM hence script blocked.
Is it correct behavior ? What can I do to make it work?
Your initial CSP, loaded with the page, provides a nonce. What you're trying to do is add another nonce, via Ajax, after the initial page load. CSP explicitly doesn't allow this; that's not a bug -- it's the entire point.
What you might do is allow a script-src of strict-dynamic. This allows you to authorize a script, and anything loaded by that script is also authorized. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Browser is blocking my jquery

So I'm not sure why but I get an error message from Chrome.
Error message:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-TakXxMuCq+J+ccgIY6WUXR+xy3/BdgRbqG7Y1mNRWJQ='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
jQuery:
<script type="text/javascript">
$( document ).ready(function() {
$.ajax({
type:'GET',
url:'http://api.steampowered.com/ISteamNews/GetNewsForApp/v0002/?appid=440&count=3&maxlength=300&format=json'
success: function(data){
console.log('success',data);
}
});
});
</script>
Sorry if this is a duplicate question.
I just had a hard time finding the answer to my problem.
But can someone explain why I am getting the error message that I am getting?
I want to give some extra information, so that you may understand my situation.
I was writing an app in HTML.
All the files used in the HTML other then the JSON are all from my machine.
I did not run them from any server including xampp. I simply double clicked my HTML file.
Are you writing a Chrome extension? It's not immediately clear from your question, but that's where I would expect to find this error message.
Inline script tags are not executed by extensions. The Google Content Security Policy pages state:
Inline JavaScript will not be executed. This restriction bans both
inline <script> blocks and inline event handlers (e.g. <button
onclick="...">).
The first restriction wipes out a huge class of cross-site scripting
attacks by making it impossible for you to accidentally execute script
provided by a malicious third-party. It does, however, require you to
write your code with a clean separation between content and behavior
(which you should of course do anyway, right?).
There is a way to relax this policy though
As of Chrome 46, inline scripts can be whitelisted by specifying the
base64-encoded hash of the source code in the policy. This hash must
be prefixed by the used hash algorithm (sha256, sha384 or sha512). See
Hash usage for <script> elements for an example.

Categories