Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix or remove support for automatically-computed CSP hashes #432

Open
chongfai13 opened this issue Feb 25, 2020 · 13 comments
Open

Fix or remove support for automatically-computed CSP hashes #432

chongfai13 opened this issue Feb 25, 2020 · 13 comments

Comments

@chongfai13
Copy link

Hi there

I would like to create random hashes from the inline script by using sha256 like the following results:

Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='

Appreciate for your kind asist.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
@oreoshake
Copy link
Contributor

@chongfai13 you should be able to add those values directly into your config. There's also an automated tool for dynamically applying specific hashes but I'm not sure anyone uses it https://github.com/github/secure_headers/blob/master/docs/hashes.md

@chongfai13
Copy link
Author

Hi Oreoshake

Thanks for your reply, we have followed the instructions but unfortunately it’s not working. Can you advise or perhaps show me the steps?
Thanks

@oreoshake
Copy link
Contributor

@chongfai13 Can you provide more details about what is not working? Did the rake task execute? Are the hashes being generated (config/secure_headers_generated_hashes.yml)? Are the hashes being included in the header? Are the hashes wrong?

@chongfai13
Copy link
Author

chongfai13 commented Mar 3, 2020
edited
Loading

Hi Oreshake, yes, the file config/secure_headers_generated_hashes.yml is generated with the content:

(three dashes)
scripts: {}
styles: {}

and these hashes not included in the header. Please help

@oreoshake
Copy link
Contributor

oreoshake commented Mar 3, 2020
edited
Loading

And you have raw <script> "javascript_goes_here" </script> tags in your views? It uses a regular expression to try and find script tags but I wouldn't call it well tested.

@oreoshake oreoshake reopened this Mar 3, 2020
@chongfai13
Copy link
Author

Hi Oreoshake, sorry for late reply, you may see my source code here: https://github.com/chongfai13/secure_headers

I have successfully made the hashes, question: How do I set it at the headers?

I wish to create like this:
Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

@oreoshake
Copy link
Contributor

Hi @chongfai13 it looks like that test repo is enough for to me to look into this, thanks for putting that together. Unfortunately, I'm very busy so it may be some time before I can get to it. I've set a reminder so I (hopefully) won't forget.

@KjellMorgenstern
Copy link

I think the script will calculate a wrong value if the inline code is in a .html.erb file, even if the javascript code is static. In my case it looks like this

<% if condtion? %>
  <%= hashed_javascript_tag do %>
    <!-- static javascript code -->
    var $test = "123"
  <% end %>
<% end %>

If I insert the sha256 from the error message into the yml, it works fine. But the generate_hashes task will generate a different sha256 that will not work.

@oreoshake oreoshake changed the title SHA256 for CSP Fix or remove support for automatically-computed CSP hashes May 6, 2021
@oreoshake
Copy link
Contributor

Hello, it has been some time since our last communication and I'm not sure we arrived at a solution or debugging situation.

The script hash support was primarily built to support inclusion of the script hash feature of CSP 2. Personally, I have never used it. It has tests. I have tested it. But it hasn't been proved in production AFAIK.

I've updated the title to reflect that this feature needs to be first-class or removed. Anything in between is detrimental to the library, specification, and person trying to use it.

@rahearn
Copy link
Contributor

rahearn commented Aug 26, 2021

If I insert the sha256 from the error message into the yml, it works fine. But the generate_hashes task will generate a different sha256 that will not work.

I am also seeing this right now. rake secure_headers:generate_hashes finds the instance of hashed_javascript_tag and creates a hash for it, but then accessing the page generates an "unknown hash" error and outputs a different hash. Manually putting that hash into config/secure_headers_generated_hashes.yml results in things working properly, but it's destroyed if the rake task is run again.

@rahearn
Copy link
Contributor

rahearn commented Aug 26, 2021
edited
Loading

Investigating a little further, the issue appears to be a difference in how the hash is computed when the hashed_javascript_tag block is indented at all. The rake task generates the same hash as the helper tag when the block is all the way over to the left.

@oreoshake
Copy link
Contributor

the issue appears to be a difference in how the hash is computed when the hashed_javascript_tag block is indented at all

Thanks for digging in to this. That seems like a pretty bad limitation of the current implementation. But that also sounds like it would be easy to fix (and test :smile).

@rahearn rahearn mentioned this issue Aug 27, 2021
Merged
2 tasks
@oreoshake
Copy link
Contributor

Version 6.3.3 was released with @rahearn's fixes to hash generation. Maybe that fixes the problems reported here?

@dorianmariecom dorianmariecom mentioned this issue Dec 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rahearn @chongfai13 @oreoshake @KjellMorgenstern