Skip to content

Extend CSP Configuration #911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
May 6, 2025
Merged

Extend CSP Configuration #911

merged 14 commits into from
May 6, 2025

Conversation

@guspower
Copy link
Contributor

@guspower guspower commented May 4, 2025

A first pass implementation as discussed in issue #909

Let me know what you think - I'll update the docs when you're happy with it.

@guspower
Copy link
Contributor Author

guspower commented May 4, 2025

Ah I was unaware of the playwright tests - looks like they caught a bug in my implementation. Cool, I will sort it out.

lovasoa
lovasoa requested changes May 4, 2025
View reviewed changes
Copy link
Collaborator

@lovasoa lovasoa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for taking the time to dive in !

This is a good start, but the logic is a little bit wrong here. Each nonce has to be used only once. We cannot define a random nonce on startup and then use it repeatedly. Otherwise an attacker can easily make a script injection that contains the known nonce.

How I think it should work:

  • in app_config, we store a parsed csp string. It could be something as simple as struct CSPFormat { before_nonce: String, after_nonce: String }
  • add a method to request_context.content_security_policy that takes a CSPFormat and generates a header.
  • in render.rs, replace the csp insertion with request_context.content_security_policy.add_to_response(&mut response, app_state.config.content_security_policy)

@guspower
Copy link
Contributor Author

guspower commented May 4, 2025

Yep makes sense +1.

I'll take another run at this tomorrow and ensure each nonce is per-request.

guspower added 2 commits May 5, 2025 13:03
@guspower
generate nonce per request; config is a string (again); added playwri…
28907f6 
…ght test to verify subsequent requests return a different nonce.
@guspower
fix js lint let -> const
36d10e1
@guspower
Copy link
Contributor Author

guspower commented May 5, 2025

OK this should now be correct (I added an e2e test to verify). Let me know what you think!

lovasoa
lovasoa requested changes May 5, 2025
View reviewed changes
@lovasoa lovasoa force-pushed the extend-csp-configuration branch from af329fc to a88f350 Compare May 5, 2025 22:09
@lovasoa lovasoa merged commit 1582956 into sqlpage:main May 6, 2025
10 checks passed
@lovasoa
Copy link
Collaborator

lovasoa commented May 6, 2025

Done. Thank you @guspower !

@lovasoa lovasoa mentioned this pull request May 6, 2025
Closed
@guspower
Copy link
Contributor Author

guspower commented May 6, 2025

Excellent thank you @lovasoa !!!

@guspower guspower deleted the extend-csp-configuration branch May 6, 2025 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lovasoa lovasoa lovasoa requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guspower @lovasoa