Is there a way to keep the nonce default value secret?

[1Copenut]

Hello. I found your csp-nonce-worker while doing research for my own Cloudflare Worker. I prefer to use nonces for CSP, but have had a hard time getting them to work with static site generated (SSG) front ends.

I wanted to ask if there's a way to keep the nonce default value secret. Your README example shows a default nonce string for the stylesheet:

<link rel="stylesheet" href="/styles.css" nonce="DhcnhD3khTMePgXw" />

This article by Scott Helme from 2017 demonstrates adding nonces with Nginx header rewrites. At the bottom of the article he specifically calls attention to the default value needing to be kept a secret.

Update 16 Jan 2017:

A few people on Twitter have pointed out that I wasn't clear enough about the fact that the nonce substitution value has to be kept a secret. If an attacker finds out this value they can use it to inject into their own script tag and Nginx would rewrite a valid nonce into it for them. This value must be kept secret.

I'm asking because I would like to implement your Worker, but haven't found a way to inject the default nonce string in a way that keeps it out of templates as a hard-coded value.

[mrmuskrat]

Not the author but if you look at line 62 of the script you will see where it replaces "DhcnhD3khTMePgXw" with the generated nonce. "DhcnhD3khTMePgXw" is not a secret... It's a placeholder.

[lightningspirit]

Just missed this one. Like @mrmuskrat said, that is just a placeholder. Keep in mind this was created in the early days of Cloudflare Workers and not updated so often as it should. It might be something better nowadays.

[painterjd]

I found this issue reported and wanted to ask the same question. Yes, DhcnhD3khTMePgXw is simply a placeholder but
If I'm an attacker and have found an XSS injection vuln, can't I simply inject the known placeholder and then the cloudflare worker will write the correct nonce and voila, the CSP nonce defense is bypassed as my injected script tag now contains the correct nonce.

Making the placeholder secret defeats this attack.

Maybe I'm missing something. Thanks!

[lightningspirit]

@painterjd indeed, but that's not the purpose of this script. This, as many other scripts out there, are vulnerable to any number of XSS attacks. One way of mitigate this is not use this placeholder but change it to something stronger and only known by the Cloudflare Worker and your application (a shared secret per si). As long as communications are encrypted between these two parties (ie. TLS) I can't see any reason to not use this approach. Thoughts?

[painterjd]

I think we're in basic agreement. My point is simply that if someone deploys this worker they should change the placeholder to something only known to the worker and their application and I suspect many people are deploying the worker as-is. Perhaps a comment in the JS would help make this clear.

[1Copenut]

I'd plus one @painterjd comment from 2 July about adding a comment that the placeholder must be kept secret. This is an easy thing to get wrong, and could give a false sense of confidence. That's not a criticism of the script, just a personal anecdote from a cautious developer.

The best way I found to handle this (so far) was to make the placeholder a Cloudflare env secret that would be injected during the build step. Then used the Cloudflare HTMLRewriter to look for all instances of the placeholder and replace it with a just-in-time nonce, much like the original script.

[lightningspirit]

@painterjd yeah, I agree with that, it is not explicit in any moment and maybe adding that as a comment is a good idea.
@1Copenut absolutely, if Cloudflare workers now supports env secrets, that's a good addition to the script. Do you have any implementation already you could share?

[1Copenut]

@lightningspirit Yes I do. I wrote a Pages middleware function using several blog posts and official docs as guides. Line 2 is where the environment secret is introduced to the worker and I have a process.env variable of the same name that adds the placeholder to my Eleventy static pages at build time.

• CSP nonces the easy way with Cloudflare Workers
• [Fixing Content-Security-Policies with Cloudflare Workers](https://www.blackhillsinfosec.com/fixing-content-security-policies-with-cloudflare-workers/)
• HTMLRewriter - Cloudflare docs