Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP nonce to CSS as well #16580

Closed
wants to merge 4 commits into from
Closed

Add CSP nonce to CSS as well #16580

wants to merge 4 commits into from

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Jul 27, 2019

Further tightening of our CSP.

It seems we need to export the nonce now to all the webpack code that wants to inject CSS (not just chunks).

@rullzer
Extend nonce usage in CSP to CSS as well
5a78ca4 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer
Add proper nonce to stylesheet responses
37edbd0 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer
First try to get the login nonce set properly
286aeff 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer added this to the Nextcloud 17 milestone Jul 27, 2019
rullzer
rullzer commented Jul 27, 2019
View reviewed changes
core/src/login.js
@@ -22,6 +22,8 @@
import Vue from 'vue';
import queryString from 'query-string';

__webpack_nonce__ = btoa(OC.requestToken)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@juliushaertl @skjnldsv I assumed this was enough as we use it in other places as well... but it seems not...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webpack-contrib/style-loader#306 ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webpack-contrib/style-loader#319

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok got it. it is because of the import reshuffling.... so the nonce gets set to late

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stupid wrapping seems to be the easy fix...

@rullzer
Add wrappers to allow CSS nonce to be properly used
c829bdb 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
skjnldsv
skjnldsv reviewed Jul 27, 2019
View reviewed changes
core/src/login.js

import Vue from 'vue';
import queryString from 'query-string';

__webpack_nonce__ = btoa(OC.requestToken)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

import OC from './OC/index' ?

@rullzer
Copy link
Member Author

rullzer commented Jul 27, 2019

Ok nevermind. We are by far not ready for this. As it doesn't allow setting

style="......" on divs anymore

@rullzer rullzer closed this Jul 27, 2019
@rullzer rullzer deleted the enh/csp-css-nonce branch July 27, 2019 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skjnldsv skjnldsv skjnldsv left review comments

@juliushaertl juliushaertl Awaiting requested review from juliushaertl

Assignees
No one assigned
Labels
2. developing Work in progress enhancement security
Projects
None yet
Milestone
Nextcloud 17
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rullzer @skjnldsv