python3-openid icon indicating copy to clipboard operation
python3-openid copied to clipboard

Published 20 hours ago verified publisher icon necaris

autoSubmitHTML and CSP

Open miiichael opened this issue 5 years ago • 3 comments

This might be straddling the border between "minor bug" and "wishlist", but the autoSubmitHTML page violates CSP policies that forbid inline script. This results in users seeing a mysterious almost-blank page with just a button on it (clicking it does do the right thing though, of course). It would be nice if it were possible to supply a nonce, to make browsers happy. Obviously I'd prefer to not have to permit inline-script in my CSP policy. :P

miiichael avatar Aug 10 '19 06:08 miiichael

@miiichael sorry for the delay in responding to this. I'm not actively using this in my day-to-day right now, so I don't have a good use-case to test this out on.

I've opened #53 which adds a nonce parameter to the function. However, my understanding is that the nonce needs to be specified in your CSP and can only be used once. Since this library isn't a web framework on its own, I'm not sure what a convenient API would be to make sure the nonce is synchronized between the form and the CSP headers you're sending back -- can you help me work through that?

necaris avatar Apr 12 '20 19:04 necaris

Hmm, I'm unsure if I can be very helpful, as I'm very much a beginner in the field myself! I'm actually using python3-openid via python-social-auth (and using flask-talisman to handle most of the CSP heavy lifting), so I guess I need to also report a bug against python3-social-auth-core? :thinking:

#53 seems reasonable to my untrained eyes, except I'm unsure if there's any value in using a random string in the absence of autoSubmitHTML() being provided with an valid nonce? Maybe one option would be to allow a user-supplied callback (that returns the required nonce) to be set?

miiichael avatar Jun 07 '20 11:06 miiichael

@miiichael you're absolutely right that there's no value to using a random string in the absence of a nonce -- conversely, I don't see there's any harm in it :wink: and it's less complex than a user-supplied callback function.

Looking into this further in the context of python-social-auth and flask-talisman, it seems to me that this scenario from the documentation is closest to what we want: flask-talisman will set the appropriate HTTP headers, which will work if we provide the exact nonce value returned by its csp_nonce() function in the <script> HTML tag.

My guess is that:

  • this library will need to accept a nonce argument (or something) in htmlMarkup to be able to populate the value correctly
  • python-social-auth will need to call it with the appropriate nonce value (this might be achievable by your subclassing the OpenIdAuth backend and overriding the auth_html() method)
  • somehow, flask_talisman's csp_nonce value will need to be supplied (can be done in your custom subclass, since the current csp_nonce is available on flask.request).

I'm not a user of python-social-auth myself so I don't know the best way of achieving this but I'd be happy to help if you can point me at more of your project's code.

necaris avatar Jun 07 '20 12:06 necaris