Skip to content

feat: Use CSP for scripts with (cached) nonce + strict-dynamic#498

Open
andreituicu wants to merge 1 commit into
mainfrom
csp
Open

feat: Use CSP for scripts with (cached) nonce + strict-dynamic#498
andreituicu wants to merge 1 commit into
mainfrom
csp

Conversation

@andreituicu

@andreituicu andreituicu commented Apr 1, 2025

Copy link
Copy Markdown
Collaborator

Enable Content Security Policy for scripts using strict-dynamic and (cached) nonce.

Note: The CSP doesn't have to be configured using a meta tag. We can also add script-src 'nonce-aem' 'strict-dynamic'; directly into the headers configuration. I'm doing it like this, so people can test it out directly on this PR, without affecting the main branch. The nonce="aem" on the trusted scripts is required in the code.

The following is our current understanding on what would be the level of protection.
Of course, things can change with research and finding ways to bypass, that's why CSP is always about having it as a last line of defence, rather than your main defence. 🙂

1. Protected even if the nonce is cached

.innerHTML for XSS
.outerHTML for XSS
.insertAdjecentHTML for XSS
.setHTMLUnsafe for XSS
eval / setTimeout / setInterval / Function for XSS
javascript: protocol in the href/src attributes
location.href / location.assign() / location.replace for XSS
✅ attribute event handlers (onclick, onblur, onload, onerror etc.) for XSS
✅ stored/reflected XSS

  • as long as there is no server side manipulation of the HTML in the customer's CDN

2. not protected, because the nonce is cached

document.write / document.writeln -> because you could get the nonce and use it in the exploit

3.not protected for other reasons

document.createRange().createContextualFragment -> whether the nonce is cached/known is irrelevant, scripts are always executed with strict-dynamic.
src attribute of a <script> tag created by document.createElement('script') / text content of a <script> tag created by document.createElement('script') / import -> permitted by strict-dynamic

4. not protected by CSPs in general
Script-less attacks
❌ HTML injection, DOM clobbering, etc.

Test URLs:

@andreituicu andreituicu requested a review from amol-anand April 1, 2025 18:56
@aem-code-sync

aem-code-sync Bot commented Apr 1, 2025

Copy link
Copy Markdown

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch and validate page speed.
In case there are problems, just click a checkbox below to rerun the respective action.

  • Re-run PSI checks
  • Re-sync branch
Commits

@aem-code-sync

aem-code-sync Bot commented Apr 1, 2025

Copy link
Copy Markdown
Page Scores Audits Google
📱 /ext/en/home PERFORMANCE A11Y SEO BEST PRACTICES SI FCP LCP TBT CLS PSI
🖥️ /ext/en/home PERFORMANCE A11Y SEO BEST PRACTICES SI FCP LCP TBT CLS PSI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant