Gatsby: Possible to add a noonce option for scripts?

Created on 28 Jan 2018  路  6Comments  路  Source: gatsbyjs/gatsby

Would it be possible to add a nonce option to Gatsby as a whole or to plugins such as Google Analytics individually? This could possibly help issue #3427 & allow people to use Content Security Policies with inline scripts protected.

If this is something that makes sense, I would be happy to try & create some pull requests.

picture mattferderer
👍1

Most helpful comment

For anyone stumbling across this now closed issue... I'd go a step further and advocate defaulting to Content-Security-Policy: default-src 'none'; and relaxing from there as per your requirements. For example there's no reason for most sites to allow object-src at all, even from same-origin. So just blocking it outright is a sensible default.

A good article worth checking out (a fews years old now, but still very valid): https://github.blog/2016-04-12-githubs-csp-journey/

picture hellosmithy on 20 May 2019
👍2

All 6 comments

I tried it here: https://github.com/zionis137/gatsby/commit/3c260c62ca0706294cf52ed975edace4753bfc72
Works suprisingly well for scripts, one would need to add a (different) nonce for inline-styles (here).

As I don't have much time this week feel free to take it and make a PR.

ghost picture ghost on 28 Jan 2018

I misunderstood how nonce works. It needs to be generated by the server on each http request. This may not be the best approach upon re-thinking this problem. I'm going to close this and try to come up with a better solution.

mattferderer picture mattferderer on 29 Jan 2018

sure, nonce = "number used once"

For static sites nonce might even work.... An attacker knows the nonce, but I don't think he can inject new content on the server without running gatsby build which changes the nonce.

Hashes are the better alternative https://github.com/gatsbyjs/gatsby/issues/3427.
The static-entry.js is called in one of the latest build-stages, every plugin that wants to inject js-code should have done so before that...

ghost picture ghost on 29 Jan 2018

Using nonce for CSP requires a server to generate the nonce for _every request_.

From: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

It is critical to provide an unguessable nonce, as bypassing a resource鈥檚 policy is otherwise trivial.

Also, code can be injected without needing to touch the server. XSS attack as follows

  1. Our Gatsby site depends on a SuperGreatFont from greatfonts.example.com
  2. greatfonts.example.com gets comprimised and starts serving malicious code instead of fonts
  3. A user visits our Gatsby site which loads what should be a font.... and boom :boom: malicious code executes.

This attack and others can be completely mitigated with a good CSP. I'd recommend starting with

  Content-Security-Policy: default-src 'self'; form-action 'self';

and the relaxing the policy from the as needed.

The SHA approach is definitely better.

Graham42 picture Graham42 on 16 Feb 2018

For anyone stumbling across this now closed issue... I'd go a step further and advocate defaulting to Content-Security-Policy: default-src 'none'; and relaxing from there as per your requirements. For example there's no reason for most sites to allow object-src at all, even from same-origin. So just blocking it outright is a sensible default.

A good article worth checking out (a fews years old now, but still very valid): https://github.blog/2016-04-12-githubs-csp-journey/

hellosmithy picture hellosmithy on 20 May 2019
👍2

We still need a solution to this since Google Tag Manager and Analytics otherwise require 'unsafe-inline'

hades200082 picture hades200082 on 6 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

3CordGuy picture 3CordGuy  路  3Comments
ghost picture ghost  路  3Comments
rossPatton picture rossPatton  路  3Comments
brandonmp picture brandonmp  路  3Comments
benstr picture benstr  路  3Comments