feat: Use CSP for scripts with (cached) nonce + strict-dynamic#498
Open
andreituicu wants to merge 1 commit into
Open
feat: Use CSP for scripts with (cached) nonce + strict-dynamic#498andreituicu wants to merge 1 commit into
andreituicu wants to merge 1 commit into
Conversation
|
Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch and validate page speed.
Commits
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enable Content Security Policy for scripts using
strict-dynamicand (cached) nonce.Note: The CSP doesn't have to be configured using a meta tag. We can also add
script-src 'nonce-aem' 'strict-dynamic';directly into the headers configuration. I'm doing it like this, so people can test it out directly on this PR, without affecting the main branch. Thenonce="aem"on the trusted scripts is required in the code.The following is our current understanding on what would be the level of protection.
Of course, things can change with research and finding ways to bypass, that's why CSP is always about having it as a last line of defence, rather than your main defence. 🙂
1. Protected even if the nonce is cached
✅
.innerHTMLfor XSS✅
.outerHTMLfor XSS✅
.insertAdjecentHTMLfor XSS✅
.setHTMLUnsafefor XSS✅
eval/setTimeout/setInterval/ Function for XSS✅
javascript:protocol in the href/src attributes✅
location.href/location.assign()/location.replacefor XSS✅ attribute event handlers (
onclick,onblur,onload,onerroretc.) for XSS✅ stored/reflected XSS
2. not protected, because the nonce is cached
❌
document.write/document.writeln-> because you could get the nonce and use it in the exploit3.not protected for other reasons
❌
document.createRange().createContextualFragment-> whether the nonce is cached/known is irrelevant, scripts are always executed withstrict-dynamic.❌
srcattribute of a<script>tag created bydocument.createElement('script')/ text content of a<script>tag created bydocument.createElement('script')/import-> permitted bystrict-dynamic4. not protected by CSPs in general
Script-less attacks
❌ HTML injection, DOM clobbering, etc.
Test URLs: