Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate inline script SHA for Content-Security-Policy #3427

Closed
jarreds opened this issue Jan 6, 2018 · 9 comments
Closed

Generate inline script SHA for Content-Security-Policy #3427

jarreds opened this issue Jan 6, 2018 · 9 comments

Comments

@jarreds
Copy link

jarreds commented Jan 6, 2018

Gatsby uses inline javascript so we have to include a script-src 'unsafe-inline'; in the content security policy. I think we can tighten this up from a security perspective.

I imagine we can take some inspiration from (or use) https://bitbucket.org/atlassianlabs/csp-webpack-plugin and get SHA hashes of the inline scripts. This would render the unsafe-inline directive unnecessary and we could get SHA hashes of the known inline scripts.

I'm pretty new to the javascript ecosystem. I'd like to try to help build a gatsby plugin to make this happen. Could anyone give just a little bit of guidance on the proper way to setup a webpack plugin that can analyze the resulting inline scripts in Gatsby? If so, I think I can hack something together.
@ghost
Copy link

ghost commented Jan 7, 2018

inline style elements also have the same problem

As I see it the attack vector is mainly from user-controlled input. So for example a markdown file with an inline script.
So just parsing the final output and generating hashes from all inline scripts won't add security because the evil-markdown-script will also get a hash.
@jarreds
Copy link
Author

jarreds commented Jan 7, 2018

Yes, you’re definitely correct that a build-time attack is still a possibility with this feature.

With CSP in-line SHAs I’m hoping to add an additional layer of XSS protection for those of us who persist and render user input with backend APIs.
@ghost
Copy link

ghost commented Jan 7, 2018

With CSP in-line SHAs I’m hoping to add an additional layer of XSS protection for those of us who persist and render user input with backend APIs.

You mean something like this right?

(Without testing) I would say that the csp-webpack-plugin generates hash for every script, even evil ones. So it might not be a good inspiration 👿
@ghost
Copy link

ghost commented Jan 15, 2018

As far as I can see there are only 2 inline scripts after the build, here and here

And one inline style here

Is this correct or am I missing cases?
@jarreds
Copy link
Author

jarreds commented Jan 17, 2018

Yeah, those are the ones I've encountered thus far.
@ghost
Copy link

ghost commented Jan 17, 2018

Then as next step you should follow the contributing guide and set up your local gatsby-dev.

As a proof of concept you can first modify "static-entry" directly and insert the rules as meta tag but on the long-run the CSP should be sent via header (e.g. plugin-netlify) and not enabled by default
@mattferderer mattferderer mentioned this issue Jan 28, 2018
Closed
@ghost ghost mentioned this issue Jan 29, 2018
Closed
@Graham42
Copy link
Contributor

Graham42 commented Feb 16, 2018
edited
Loading

I can take a look at this sometime next week unless someone else already is?
@ghost
Copy link

ghost commented Feb 16, 2018

@Graham42 That would be great.

I did not work more on it, only the very basic concept-proof: master...zionis137:topics/csp
@jamesadarich jamesadarich mentioned this issue Feb 18, 2018
Open
@KyleAMathews
Copy link
Contributor

Due to the high volume of issues, we're closing out older ones without recent activity. Please open a new issue if you need help!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@KyleAMathews @jarreds @Graham42