Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve CSP compliance #257

Merged
merged 5 commits into from
Oct 27, 2023
Merged

improve CSP compliance #257

merged 5 commits into from
Oct 27, 2023

Conversation

vejja
Copy link
Collaborator

@vejja vejja commented Oct 20, 2023

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

These changes disable the possibility for the server to use a pre-determined nonce.

With these changes, the module now adheres to the W3C specs on CSP para 7.1: Nonce Reuse (https://www.w3.org/TR/CSP3/#security-nonces).

The modifications to the code include:

  • disallowing the ability to set nonces on the server via cookie
  • disallowing the possiblity to set nonces other than through cryptographically secure methods
  • suppressing the former 'check' mode
  • not sending nonces via cookie to the frontend

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes (if not applicable, please state why)

@vejja
improve CSP compliance
b08c198 
- disallow setting nonces on the server via cookie
- disallow setting nonces other than through crypto secure method
- suppress 'check' mode
- do not send nonce via cookie to the frontend
@vercel
Copy link

vercel bot commented Oct 20, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 26, 2023 6:55pm

@vejja vejja marked this pull request as ready for review October 21, 2023 00:00
@vejja
RFC-compliant crypto
ee366c7 
- W3C mandates at least 128 bits of entropy
- randomUUID only had 122
@Baroshem Baroshem changed the base branch from main to chore/1.0.0-rc.3 October 25, 2023 09:25
@Baroshem
Copy link
Owner

Hey @vejja

Could you please also update the documentation of the module to be up to date with this change/fix? :)

@vejja
Copy link
Collaborator Author

vejja commented Oct 26, 2023

Hi @Baroshem
I'm pushing a very minor change, otherwise the doc seems to be fine by me.

The only thing I'm unsure about, is our example about how to use nonce with <NuxtImg>.
According to my tests, if we use this feature, we will have

  • a nonce attribute in the <img> element. As trijpstra-fourlights noted correctly, <img> is not nonceable so this is useless
  • two identical nonce attributes in the <link preload> element (if the preload option is used on <NuxtImg>). The first one is inserted by NuxtImg, and the second one by ourselves. So it is not required there either.

I can reach out to the people at NuxtImg to understand why they introduced this option in the first place if you think it is useful, but for now I think we can leave the section unchanged in our docs, as the above situation does not create any practical issue.
In the longer term I suspect we could delete the section altogether, as users of nuxt-security probably don't need to use the nonce option when using <NuxtImg>.

@vejja
Copy link
Collaborator Author

vejja commented Oct 26, 2023
edited

Background for this last commit:

CI seemingly fails at random times on the vitest nonce tests.
The issue arises in tests because when we extract the value of the nonce to compare against expected value, it can sometimes contain the characters + or /, which are special regex characters. When we then use a string.match() against this value, we therefore need to backslash-escape the regex.
The escape function is taken from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping

Note: this test suite regression was introduced by the use of crypto.randomBytes(16) in ee366c7 in place of crypto.randomUUID(), which only generated alpha-numerical characters.

@Baroshem Baroshem merged commit f57ed56 into Baroshem:chore/1.0.0-rc.3 Oct 27, 2023
3 checks passed
dargmuesli added a commit to maevsi/maevsi that referenced this pull request Nov 2, 2023
@dargmuesli
chore(deps): update dependency nuxt-security to v1.0.0-rc.3 (#1421)
31672c3 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [nuxt-security](https://nuxt-security.vercel.app)
([source](https://togithub.com/Baroshem/nuxt-security)) | [`1.0.0-rc.2`
->
`1.0.0-rc.3`](https://renovatebot.com/diffs/npm/nuxt-security/1.0.0-rc.2/1.0.0-rc.3)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/nuxt-security/1.0.0-rc.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/nuxt-security/1.0.0-rc.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/nuxt-security/1.0.0-rc.2/1.0.0-rc.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nuxt-security/1.0.0-rc.2/1.0.0-rc.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>Baroshem/nuxt-security (nuxt-security)</summary>

###
[`v1.0.0-rc.3`](https://togithub.com/Baroshem/nuxt-security/releases/tag/v1.0.0-rc.3):
1.0.0-rc.3

[Compare
Source](https://togithub.com/Baroshem/nuxt-security/compare/42f7399289e8edc50b2c68e1e70b1012ac95d8dd...v1.0.0-rc.3)

> 1.0.0-rc.3 is the next release candidate

#### 🗞️ Next steps

We are planning to release one or two more release candidate versions
with bugfixes before a stable 1.0.0 version will be released.

#### ✅ Migration Guide

This version includes ⚠️ breaking changes but don't worry, we have
prepared migration guide for you 😉

#####

In the previous version, `nonce` could be either an object with a type
`NonceOptions` or `false`.

```ts
export type NonceOptions = {
  enabled: boolean;
  mode?: 'renew' | 'check';
  value?: (() => string);
}
```

Now it is only a boolean value:

```ts
export default defineNuxtConfig({
  security: {
    nonce: true | false
  }
}
```

This change was necessary to resolve security vulnerability for nonce
reported by vejja
[Baroshem/nuxt-security#257.
Read more about the new usage of nonce in this module
https://nuxt-security.vercel.app/documentation/headers/csp#nonce

👉 Changelog
[compare
changes](https://togithub.com/Baroshem/nuxt-security/compare/v1.0.0-rc.1...v1.0.0-rc.3)

#### 🚀 Enhancements

-   Add `credentialless` value to `Cross-Origin-Embedder-Policy` header
-   Export configuration type
-   Improve CSP Compliance
-   ensure csp plugins are added last
-   Extend CSP support of SSG mode
-   use cheerio HTML parser for CSP

#### 🩹 Fixes

-   Basic Auth Configuration for Multiple Paths
- Nonce value is injected in all pre-rendered pages if the `nonce`
option is set to `true`

#### 📖 Documentation

-   Clarify rateLimiter `interval` property

#### 🏡 Chore

-   Improve TS config

#### ⚠️ Breaking Changes

-   CSP Compliance

#### ❤️ Contributors

- Espen Solli Grande ([@&#8203;espensgr](https://togithub.com/espensgr))
-   vejja ([@&#8203;vejja](https://togithub.com/vejja))
-   Tristan ([@&#8203;Tristan971](https://togithub.com/Tristan971))
- Jonas Thelemann
([@&#8203;dargmuesli](https://togithub.com/dargmuesli))
-   nsratha ([@&#8203;rathahin](https://togithub.com/rathahin))

#### 🏋️‍♂️ New Contributors

- [@&#8203;espensgr](https://togithub.com/espensgr) made their first
contribution in
[Baroshem/nuxt-security#261
- [@&#8203;vejja](https://togithub.com/vejja) made their first
contribution in
[Baroshem/nuxt-security#245
- [@&#8203;rathahin](https://togithub.com/rathahin) made their first
contribution in
[Baroshem/nuxt-security#267

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/maevsi/maevsi).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Baroshem Baroshem Baroshem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vejja @Baroshem