8000 [WebProfilerBundle] Content-Security-Policy directives "style-src" and "script-src" are misused · Issue #22053 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[WebProfilerBundle] Content-Security-Policy directives "style-src" and "script-src" are misused #22053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fox-hellraiser opened this issue Mar 18, 2017 · 12 comments
Closed

[WebProfilerBundle] Content-Security-Policy directives "style-src" and "script-src" are misused #22053

fox-hellraiser opened this issue Mar 18, 2017 · 12 comments
Labels
WebProfilerBundle

Comments

@fox-hellraiser
Copy link
fox-hellraiser commented Mar 18, 2017
edited
Loading
Q A
Bug report? yes
Feature request? no
BC Break report? no
RFC? no
Symfony version 3.2.6

Related to #18568, #20963.

Consider next code in "WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php":

if (!in_array('\'unsafe-inline\'', $headers[$header][$type], true)) {
    $headers[$header][$type][] = '\'unsafe-inline\'';
}
$headers[$header][$type][] = sprintf('\'nonce-%s\'', $nonces[$tokenName]);

If one of my CSP directives looks like style-src 'self' 'unsafe-inline'; than nonce-<hash> is not added. But when I remove the 'unsafe-inline' part, directive transforms to style-src 'self' 'unsafe-inline' 'nonce-%hash%'; and this cause CSP violation (Chrome 57.0.2987.110 (64-bit)):

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-b20c6f15cd91eebde540bfff16296462'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Consider last sentence: browser says that 'unsafe-inline' and 'nonce-<hash>' is incompatible. I looked in the docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script and found next notice:

To allow inline scripts and inline event handlers, 'unsafe-inline', a nonce-source or a hash-source that matches the inline block can be specified.

So, it is only allowed to use 'unsafe-inline' or both nonce and hash, but not all together. The same is applied to 'script-src'.

ping @romainneutron
@romainneutron
Copy link
Contributor

The behavior is expected, as you mentioned, and as mentioned here https://csp.withgoogle.com/docs/strict-csp.html

In the presence of a CSP nonce the unsafe-inline directive will be ignored by modern browsers. Older browsers, which don't support nonces, will see unsafe-inline and allow inline scripts to execute.

Could you point me where you encounter an issue? Which panel?

@fox-hellraiser
Copy link
Author

Could you point me where you encounter an issue? Which panel?

STR:

  1. Add onKernelResponse listener.
  2. In this listener, add CSP header to Response instance with directive style-src 'self';.
  3. Load index page in dev-mode (with WebProfilerBundle).
  4. Open dev-tools in Chrome, go to Console tab.

Actual result: error message from OP.
Expected result: no errors.

Also, I confirm #20963 isue: hash value in nonce-<hash> directive is not the same as in HTML <script> tag that loads WebProfilerBundle. Maybe, this is important in my case.

@fox-hellraiser
Copy link
Author

Also, a few words about this citate:

In the presence of a CSP nonce the unsafe-inline directive will be ignored by modern browsers. Older browsers, which don't support nonces, will see unsafe-inline and allow inline scripts to execute.

A day ago, I experimenting with CSP headers and add worker-src 'none'; directive to response. After this, QA engineers told me that in Chrome dev-tools they found a "notice":

The Content-Security-Policy directive 'worker-src' is implemented behind a flag which is currently disabled.

We compared our browsers version, and they are equal (major, minor, build part). But difference is in OS: on Ubuntu I dont see any notices, but QA used Windows 7 and notice is present here.

So, I mean, that some undocumented behaviour can also occure in my case with style-src 'unsafe-inline' nonce-<hash>;, like with worker-src directive.

@romainneutron
Copy link
Contributor

Hello,

You said that the error that occurs in your console is

Refused to apply inline style because it violates the following Content Security Policy directive

Actually, you can not use inline style if your CSP is set to style-src 'self'. This console error is expected if you're using both inline style and style-src 'self'.

Please try to disable the Symfony web profiler toolbar

web_profiler:
    toolbar: false

and let me know if you got the exact same issue.

I'd be glad if you could create a symfony app base on the standard edition that reproduce your issue so I can have a look, see if there's a bug.

At the moment, everything looks normal to me.

@fox-hellraiser
Copy link
Author
fox-hellraiser commented Mar 20, 2017
edited
Loading

Actually, you can not use inline style if your CSP is set to style-src 'self'. This console error is expected if you're using both inline style and style-src 'self'.

Yep, but in WebProfilerBundle/Csp/ContentSecurityPolicyHandler.php directive 'unsafe-inline' is added in this case, so browser actually receive style-src 'self' 'unsafe-inline' nonce-%hash%;, not just style-src 'self';.

Please try to disable the Symfony web profiler toolbar

Error is not occured when I disable web profiler toolbar.

I'd be glad if you could create a symfony app base on the standard edition that reproduce your issue so I can have a look, see if there's a bug.

Ok, I'll do it tonight.

@romainneutron
Copy link
Contributor

If you have a CSP mentioning style-src 'self' it means, inline style is disabled.
If webprofiler bundle updates it to style-src 'self' 'unsafe-inline' nonce-%hash%;, same occurs, it also means inline style is disabled, except for style tags that use the nonce.

Where does come from the inline style? Your code? Symfony code? A vendor code?

@fox-hellraiser
Copy link
Author

When I remove 'unsafe-inline' part in style-src directive, I see an error in dev-tools:

(index):12 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'nonce-fbfe4d643c603bd140a7c52ba807274a'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Mouse click on index 12 leads me to line 12 on page, where placed one-line web toolbar <script> tag:

<div id="sfwdt1cbb9e" class="sf-toolbar sf-display-none"></div><script nonce=7c5ac8563874a31ef0c332b298e0343c>/*<![CDATA[*/ Sfjs = (function() {...

but I cant find any <style> element inside this piece if code.

@romainneutron
Copy link
Contributor

Waiting for a repository to reproduce the issue

@fox-hellraiser
Copy link
Author
fox-hellraiser commented Mar 20, 2017
edited
Loading

STR on fresh install of Symfony:

git clone https://github.com/fox-hellraiser/symfony-csp.git
cd symfony-csp
composer install -o
php bin/console server:start

Open http://localhost:8000 - consider that all works good.

After change CSP header in src/AppBundle/Listener/CspListener.php from style-src 'self' 'unsafe-inline'; to style-src 'self'; refresh page in browser and check steps from my previous comments to consider error message and modified (by WebProfilerBundle response listener) CSP header in dev-tools Console tab (Chrome 57.0.2987.110 (64-bit)).

The same results can be achieved by adding headers directly to the controller response instead listener usage, but I want to reproduce my current set-up as closer as possible.

@romainneutron
Copy link
Contributor

Reproduced, thanks for the report

@romainneutron romainneutron mentioned this issue Mar 21, 2017
Merged
@romainneutron
Copy link
Contributor

I just submitted a patch that fixes your issue. Thanks again for reporting.

@fox-hellraiser
Copy link
Author

You're welcome :) And thanks for a quick fix.

fabpot added a commit that referenced this issue Mar 21, 2017
@fabpot
bug #22090 [WebProfilerBundle] Fix Content-Security-Policy compatibil…
74a1cc3 
…ity in case of a `style-src 'self'` policy (romainneutron)

This PR was merged into the 3.2 branch.

Discussion
----------

[WebProfilerBundle] Fix Content-Security-Policy compatibility in case of a `style-src 'self'` policy

| Q             | A
| ------------- | ---
| Branch?       | 3.2 <!-- see comment below -->
| Bug fix?      | yes
| New feature?  | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks?    | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass?   | yes
| Fixed tickets | #22053 #20963
| License       | MIT

This fixes the compatibility of the bundle in case of a `style-src 'self'` policy.
This PR must be rebased once #22089 is merged

Commits
-------

4acec89 [WebProfilerBundle] Fix content-security-policy compatibility
@fabpot fabpot closed this as completed Mar 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
WebProfilerBundle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabpot @romainneutron @xabbuh @fox-hellraiser
0