csp-builder icon indicating copy to clipboard operation
csp-builder copied to clipboard

Published 20 hours ago verified publisher icon paragonie

"support older browsers" nonce fix

Open strider72 opened this issue 6 years ago • 5 comments

Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as well. Of course, this is less secure again.

Firefox and Edge ignore the "unsafe-inline" directive if nonces are also called, so this is fine in those browsers; but... I can't determine if Chrome or newer versions of iOS Safari (10+) do the same. Thus, I'm not positive that just adding unsafe-inline is the correct (safe) fix. Worth investigating though.

strider72 avatar Apr 26 '18 22:04 strider72

Are these versions of iOS Safari still supported?

(I'm asking because I don't own any Apple products, so I don't have a frame of reference. This could be an "Internet Explorer 11" bug or an "Internet Explorer 5.5" bug and I wouldn't know which.)

paragonie-scott avatar Apr 26 '18 22:04 paragonie-scott

Apple seems to come out with a new iOS about every year or so, and the current version is 11 – so iOS 9 certainly isn't new, but not ancient either. Maybe on par with IE 11 or possibly 10.

A lot of people are still on iOS 9 or 10 because certain iPhones and iPads max out at that OS.

I believe it falls within a reasonable “older browsers”. iOS 5 or lower would be analogous to IE 6....

(Edit: more like iOS 1 or 2....)

strider72 avatar Apr 27 '18 01:04 strider72

Looked it up. iOS 9 was introduced in September 2015

strider72 avatar Apr 27 '18 02:04 strider72

Okay, I did some testing with an inline not-nonced Style, and Script, tag. So... CSP script-src has a nonce set, AND 'unsafe-inline' set to true.
CSP style-src has a nonce set, AND 'unsafe-inline' set to true.

"Pass" means the browser blocked the non-nonced Style and Script. "Fail" means it did not block the non-nonced Style or Script:

  • Firefox 59: PASS

  • Firefox 56: PASS

  • Chrome 66: PASS

  • Edge: PASS

  • Safari 11.1 on Mac (current): PASS

  • Safari on iOS 11 (current): PASS

  • Safari on iOS 10: PASS

  • Safari on iOS 9: FAIL

  • Internet Explorer 11: FAIL

Results:

  1. If your CSP sets default-src to 'none', but style-src or script-src to a nonce, old browsers will fail to run those scripts or styles, because they don't understand nonces and fall back to the default 'none'.
  2. If a browser that does understand CSP nonces has a nonce set AND unsafe-inline set, it ignores the unsafe-inline. (Note: In csp-builder you have to set the unsafe-inline before you set the nonce!) THEREFORE:
  3. To properly support older browsers, when setting nonces you also have to set unsafe-inline.

strider72 avatar Apr 27 '18 17:04 strider72

Hi, this is very interesting. The CSP evaluator also recommends this approach, so we could the unsafe-inline directive be included if a nonce is set and supportOldBrowsers is true? screenshot 2019-02-25 at 10 23 34

Rendez avatar Feb 25 '19 09:02 Rendez