secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Fix or remove support for automatically-computed CSP hashes

Open chongfai13 opened this issue 5 years ago • 13 comments

Hi there

I would like to create random hashes from the inline script by using sha256 like the following results:

Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='

Appreciate for your kind asist.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

chongfai13 avatar Feb 25 '20 02:02 chongfai13

@chongfai13 you should be able to add those values directly into your config. There's also an automated tool for dynamically applying specific hashes but I'm not sure anyone uses it https://github.com/github/secure_headers/blob/master/docs/hashes.md

oreoshake avatar Feb 25 '20 19:02 oreoshake

Hi Oreoshake

Thanks for your reply, we have followed the instructions but unfortunately it’s not working. Can you advise or perhaps show me the steps? Thanks

chongfai13 avatar Mar 02 '20 06:03 chongfai13

@chongfai13 Can you provide more details about what is not working? Did the rake task execute? Are the hashes being generated (config/secure_headers_generated_hashes.yml)? Are the hashes being included in the header? Are the hashes wrong?

oreoshake avatar Mar 02 '20 18:03 oreoshake

Hi Oreshake, yes, the file config/secure_headers_generated_hashes.yml is generated with the content:

(three dashes) scripts: {} styles: {}

and these hashes not included in the header. Please help

chongfai13 avatar Mar 03 '20 11:03 chongfai13

And you have raw <script> "javascript_goes_here" </script> tags in your views? It uses a regular expression to try and find script tags but I wouldn't call it well tested.

oreoshake avatar Mar 03 '20 17:03 oreoshake

Hi Oreoshake, sorry for late reply, you may see my source code here: https://github.com/chongfai13/secure_headers

I have successfully made the hashes, question: How do I set it at the headers?

I wish to create like this: Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

chongfai13 avatar Mar 09 '20 03:03 chongfai13

Hi @chongfai13 it looks like that test repo is enough for to me to look into this, thanks for putting that together. Unfortunately, I'm very busy so it may be some time before I can get to it. I've set a reminder so I (hopefully) won't forget.

oreoshake avatar Mar 13 '20 17:03 oreoshake

I think the script will calculate a wrong value if the inline code is in a .html.erb file, even if the javascript code is static. In my case it looks like this

<% if condtion? %>
  <%= hashed_javascript_tag do %>
    <!-- static javascript code -->
    var $test = "123"
  <% end %>
<% end %>

If I insert the sha256 from the error message into the yml, it works fine. But the generate_hashes task will generate a different sha256 that will not work.

KjellMorgenstern avatar Dec 05 '20 19:12 KjellMorgenstern

Hello, it has been some time since our last communication and I'm not sure we arrived at a solution or debugging situation.

The script hash support was primarily built to support inclusion of the script hash feature of CSP 2. Personally, I have never used it. It has tests. I have tested it. But it hasn't been proved in production AFAIK.

I've updated the title to reflect that this feature needs to be first-class or removed. Anything in between is detrimental to the library, specification, and person trying to use it.

oreoshake avatar May 06 '21 06:05 oreoshake

If I insert the sha256 from the error message into the yml, it works fine. But the generate_hashes task will generate a different sha256 that will not work.

I am also seeing this right now. rake secure_headers:generate_hashes finds the instance of hashed_javascript_tag and creates a hash for it, but then accessing the page generates an "unknown hash" error and outputs a different hash. Manually putting that hash into config/secure_headers_generated_hashes.yml results in things working properly, but it's destroyed if the rake task is run again.

rahearn avatar Aug 26 '21 14:08 rahearn

Investigating a little further, the issue appears to be a difference in how the hash is computed when the hashed_javascript_tag block is indented at all. The rake task generates the same hash as the helper tag when the block is all the way over to the left.

rahearn avatar Aug 26 '21 14:08 rahearn

the issue appears to be a difference in how the hash is computed when the hashed_javascript_tag block is indented at all

Thanks for digging in to this. That seems like a pretty bad limitation of the current implementation. But that also sounds like it would be easy to fix (and test :smile).

oreoshake avatar Aug 26 '21 17:08 oreoshake

Version 6.3.3 was released with @rahearn's fixes to hash generation. Maybe that fixes the problems reported here?

oreoshake avatar Sep 07 '21 22:09 oreoshake