Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No nonce value output #5

Closed
clarknelson opened this issue Dec 23, 2020 · 12 comments
Closed

No nonce value output #5

clarknelson opened this issue Dec 23, 2020 · 12 comments

Comments

@clarknelson
Copy link

image

image

Wonder what is going on
@clarknelson
Copy link
Author

image

I'm looking at these first three nonce issues and they look to be the same message, but they have different header values?

The first error is for an inline script that has nonce="2e6...." which is listed in the 2nd rule

@roelvanhintum
Copy link
Contributor

@clarknelson sorry for the late response. When using the view-source option in chrome you probably will see the nonce on the style element. The errors you are seeing are all script related, so you probably forgot to add nonce's to some script tags.

If you really can't change that, try config something like this:

// content-security-policy.php
<?php

return [
    'scriptSrc' => [
        "'unsafe-inline'",
    ],
];

Note: this does kill the point of this plugin, but the errors will go away.

@clarknelson
Copy link
Author

clarknelson commented Dec 29, 2020
edited
Loading

I'm having a bit of an issue with this one inline script tag:

<script type="text/javascript" src="/scripts/manifest.min.js{{ cache }}" nonce="{{ cspNonce('script-src') }}"></script>
<script type="text/javascript" src="/scripts/vendor.min.js{{ cache }}" nonce="{{ cspNonce('script-src') }}"></script>
<script type="text/javascript" src="/scripts/init.min.js{{ cache }}" nonce="{{ cspNonce('script-src') }}"></script>

{% set floorplans = craft.entries().section('floorPlans').with(['floorPlanDetails.floorPlanThumbnail', 'floorPlanDetails.floorPlanGraphic']).all() %}
<script nonce="{{ cspNonce('script-src') }}">
window.floorplans = [{% for floorplan in floorplans %}{
title: '{{ floorplan.title }}',
size: '{{ floorplan.floorPlanSize }}',
sqft: {{ floorplan.floorPlanSqft }},
balcony: '{{ floorplan.floorPlanBalcony }}',
thumbnail: '{{ floorplan.floorPlanDetails[0].floorPlanThumbnail | length > 0 ? floorplan.floorPlanDetails[0].floorPlanThumbnail[0].url }}',
graphic: '{{ floorplan.floorPlanDetails[0].floorPlanGraphic | length > 0 ? floorplan.floorPlanDetails[0].floorPlanGraphic[0].url }}'
},{% endfor %}];
</script>

gives me this error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-591a0f13103bc488f35951f311aa4f5b1500603367be'". Either the 'unsafe-inline' keyword, a hash ('sha256-8cs7lbnfp8mcDLvXfh9T8JsuV0+NlLaqk4cEhcv2+LU='), or a nonce ('nonce-...') is required to enable inline execution.

if I remove the nonce:

<script type="text/javascript" src="/scripts/manifest.min.js{{ cache }}" nonce="{{ cspNonce('script-src') }}"></script>
<script type="text/javascript" src="/scripts/vendor.min.js{{ cache }}" nonce="{{ cspNonce('script-src') }}"></script>
<script type="text/javascript" src="/scripts/init.min.js{{ cache }}" nonce="{{ cspNonce('script-src') }}"></script>

{% set floorplans = craft.entries().section('floorPlans').with(['floorPlanDetails.floorPlanThumbnail', 'floorPlanDetails.floorPlanGraphic']).all() %}
<script>
window.floorplans = [{% for floorplan in floorplans %}{
title: '{{ floorplan.title }}',
size: '{{ floorplan.floorPlanSize }}',
sqft: {{ floorplan.floorPlanSqft }},
balcony: '{{ floorplan.floorPlanBalcony }}',
thumbnail: '{{ floorplan.floorPlanDetails[0].floorPlanThumbnail | length > 0 ? floorplan.floorPlanDetails[0].floorPlanThumbnail[0].url }}',
graphic: '{{ floorplan.floorPlanDetails[0].floorPlanGraphic | length > 0 ? floorplan.floorPlanDetails[0].floorPlanGraphic[0].url }}'
},{% endfor %}];
</script>

I get two errors:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' stripe.com player.vimeo.com vimeo.com buildercms.com google-analytics.com 'nonce-cc61b74ddff22c955ed0962e1f8ad91b236fcb7a9651' 'nonce-27d287b0255ef207a8428e16496a69adb15e9b580746' 'nonce-215d8b98b701c1c1e09926ee5c5cf3f935d99d9c61a0' 'nonce-9c39c71e9422e9281816eef25c241f9ff61544d20005' 'nonce-c601cd04056f8712afa7e1cf6cd335272c0c83e8ab01'". Either the 'unsafe-inline' keyword, a hash ('sha256-8cs7lbnfp8mcDLvXfh9T8JsuV0+NlLaqk4cEhcv2+LU='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-ad63d480b679144ec5c00f049fa9f77f9f89c8953edc'". Either the 'unsafe-inline' keyword, a hash ('sha256-8cs7lbnfp8mcDLvXfh9T8JsuV0+NlLaqk4cEhcv2+LU='), or a nonce ('nonce-...') is required to enable inline execution.

The first error looks more like the policy I want... Thanks for getting back to me, any help would be appreciated.

@clarknelson
Copy link
Author

It's for sure the inline scripts that will not load for me. The nonce seems to load fine when included, but it may be changing the policy (see previous comment)

@clarknelson
Copy link
Author

I output the final CSP value and it looks correct, I am not sure why the errors are showing up:


	
string(1016) "script-src 'self' stripe.com player.vimeo.com vimeo.com buildercms.com google-analytics.com 'nonce-7e7a201978167aaca7d15786ae3e1fb7e47fd3111a3d' 'nonce-f49da6545c695d8381325b93d7e9fcf3a20a9320ed07' 'nonce-1b439f12ebb69ea3d74ccd668e6c09b4ec9f1988ad08' 'nonce-266c2f37fa0c020bdc0a63287cad006e63d1c840c45e' 'nonce-9aebfaba8a5ca4b7b3be11d5bfeb859b6c8b409627de' 'nonce-7c1f31cf7b30ed2bad17ca50b7743e308773b2aa2ff9' 'nonce-ab5dfbba27912ccb0f298ce267ec17579a08d23bd9bd' 'nonce-be5e5f0c6eeeb5e08ef7ddf9cd92b8fc334b1260648a' 'nonce-9f6242e31541ed0c7b55db8ac5709072dd5ee95aa450' 'nonce-380e2ec3968463ed1454cdf45da21619acebad8e347d'; style-src 'self' 'nonce-baa3a6ba9efcdc064b4b2817f2c929578444e96991a0' 'nonce-0b577c828285802aa84c7c58d040b6253b2d3a1550c8' 'nonce-042a76819fb9a90c7c817df255c46ef163469b55826b'; img-src 'self' data: thereed-prod.imgix.net; connect-src 'self' google-analytics.com craftcms.com player.vimeo.com vimeo.com buildercms.com craft-cdn.com; frame-src 'self' player.vimeo.com vimeo.com; form-action self"

@clarknelson
Copy link
Author

Here is my whole policy:

script-src 'self' stripe.com player.vimeo.com vimeo.com buildercms.com google-analytics.com 'nonce-a7140ee8ecee6afdc112849b2e56e29fc1a63a60ca40' 'nonce-4c841a9436cc5b24511305c9d6e99f8e3f73581f2853' 'nonce-583ccee3f6ea497446024efeb7ea3848f0ffb25ac9ee' 'nonce-1aba6d68bb564dbaa8ea4ec2e91e6206926f8769e4a2' 'nonce-e49c7f4b10d52e481f7355e033d1c6f3015d0c869095' 'nonce-4b3f4bd614de649edb2bd7db81c74f38a4547f0eb8fc' 'nonce-b73b63453ed5bd0b554464e5e00b0e0d5dc884fe1e55' 'nonce-666b2342ebebf071b515381655cfb9cd310df74293d3' 'nonce-544b28a3f10b10f7807914846d39885198d408547d4e' 'nonce-c65def0f6f5482824507ac947b2ae3ad2bca7ff0bf10';
style-src 'self' 'nonce-596c68b91fc80934fe61b1658e05ca1f5e59e3e1e6ab' 'nonce-1f806a30a66e42f597fa950327d15fd0c5955434c317' 'nonce-a9374fd2ddae02dc5fa257987150950a9f650dabf484';
img-src 'self' data: thereed-prod.imgix.net;
connect-src 'self' google-analytics.com craftcms.com player.vimeo.com vimeo.com buildercms.com craft-cdn.com;
object-src 'none';
frame-src 'self' player.vimeo.com vimeo.com;
form-action self;

And the error message:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-25e9e87321d235c9972229a46ed522bbfbfdffb33e4a'". Either the 'unsafe-inline' keyword, a hash ('sha256-elLIRKmNxCW1cXUVpwK76WJGPsc1z21W+GtVdRN/K5c='), or a nonce ('nonce-...') is required to enable inline execution.

No idea why the two are different!

@clarknelson
Copy link
Author

When I use SEOmatic, the script tags for the tracking scripts have nonce values, but they aren't being added to the policy.

image

image

IDK how the nonce is being added, but this seems like it was considered!

@clarknelson
Copy link
Author

SEOmatic is adding it's own headers, which may conflict with this plugin's settings. Fortunately you can disable at /admin/seomatic/plugin#tags

@clarknelson
Copy link
Author

clarknelson commented Dec 29, 2020
edited
Loading

There seems to be a difference between inline scripts in the <body> and <head> of the document, where only <head> inline scripts are okay.

@roelvanhintum
Copy link
Contributor

roelvanhintum commented Dec 31, 2020
edited
Loading

@clarknelson I'm looking into it. SEOmatic does include it's own headers, which should be ok according to mozilla: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

edit: Duplicate won't work in any way.

@roelvanhintum
Copy link
Contributor

@clarknelson you can disable SEOmatic's nonce option and use the one the CSP plugin provides like this:

{% do seomatic.script.get("googleAnalytics").nonce(cspNonce('script-src')) %}

I'm not sure if this works fine with template caching (it gave me some issues in my dev environment), but that is something for SEOmatic.
Found in: nystudio107/craft-seomatic#756

@clarknelson
Copy link
Author

Thanks for the script, very nice. I'm going to close this since it relates to SEOmatic's added tags.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roelvanhintum @clarknelson