csp-html-webpack-plugin icon indicating copy to clipboard operation
csp-html-webpack-plugin copied to clipboard

Published 20 hours ago verified publisher icon slackhq

Nonce seems to be static - recommanded conf is dangerous for static website generators

Open quadristan opened this issue 1 year ago • 1 comments

Description

Trying to use this plugin within a static website is opening security holes by default. For example if we follow https://github.com/slackhq/csp-html-webpack-plugin/issues/53, it will add static nonces on a static website.

I would recommend to disable nonces by default, and let the user enable them on when they know that they wont pack a static website

What type of issue is this? (place an x in one of the [ ])

  • [x] bug
  • [ ] enhancement (feature request)
  • [x] question
  • [ ] documentation related
  • [ ] testing related
  • [ ] discussion

Requirements (place an x in each of the [ ])

  • [x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • [x] I've read and agree to the Code of Conduct.
  • [x] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackhq/csp-html-webpack-plugin version: 5.1.0

Steps to reproduce:

  1. create static website, such with as npx create-react-app my-app --template typescript
  2. Install and wire the plugin npm install react-app-rewired csp-html-webpack-plugin --save-dev
  3. Configure webpack overrides in config-overrides.js
const CspHtmlWebpackPlugin = require("csp-html-webpack-plugin");

module.exports = function override(config, env) {
  config.plugins.push(
    new CspHtmlWebpackPlugin({
      "script-src": "",
      "style-src": "",
    })
  );
  return config;
};
  1. Build with react-app-rewired build
  2. Check build/index.html file

Expected result:

Nonces are not static. At the very least, they should be generated by an inline script and injected

Actual result:

Static nonces are generated. Uploading this to a CDN will allow anyone to grab the nunce and re-use it, bypassing the CSP

  <meta http-equiv="Content-Security-Policy"
    content="base-uri 'self'; object-src 'none'; script-src 'nonce-csu9vwLV51tCaN6biAAJFg=='; style-src 'nonce-vAVCeRTmI/cROWHcZcycQA=='">

quadristan avatar Mar 22 '24 14:03 quadristan

I've used webpack to programmatically generate nonce values during each build.

LoganKells avatar Aug 26 '24 07:08 LoganKells