Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: revert CSP header and script-src addition #25445

Merged
merged 2 commits into from
Jan 13, 2023
Merged

fix: revert CSP header and script-src addition #25445

merged 2 commits into from
Jan 13, 2023

Conversation

AtofStryker
Copy link
Contributor

@AtofStryker AtofStryker commented Jan 12, 2023
edited
Loading

User facing changelog

N/A. Reverts feature.

Additional details

After merging #24760, the development team noticed that there were regressions in some of the authentication providers that were previously supported. This is mainly due to no longer stripping CSP headers, as well as potentially overwriting them.

In the current state, #24760 overwrites current CSP headers. This is an issue with Salesforce domains for example, where Content-Security-Policy=upgrade-insecure-requests becomes Content-Security-Policy=script-src 'nonce-<NONCE>'. Since script-src itself is then required for even inline scripts, unsafe keywords would likely be required. The desired behavior here would likely be to not modify this header in this case since script-src is not present, and if it is present, we would need these nonces to likely be added to each inline script, probably overwriting the previous nonce. Adding script-src to injected html files is likely more involved than previously thought.

Another issue that is now present with this feature is CSP headers that are not compatible with Cypress. For instance, Auth0 provides Content-Security-Policy='frame-ancestors 'none', which has the same effect as X-Frame-Options='deny'. This means that the site cannot load in an iframe, which is inherently incompatible with Cypress

In the near future, we need to investigate what CSP policies might be a problem with Cypress, as well as how to support script nonce injection with Cypress if the CSP policy is present. Is is likely a good idea once these are vetted and discovered that we add some system tests that verify the rewrite behavior is correct and that sites load properly when visited.

Steps to test

N/A, revert

How has the user experience changed?

PR Tasks

  • Have tests been added/updated?
  • Has the original issue (or this PR, if no issue exists) been tagged with a release in ZenHub? (user-facing changes only)
  • Has a PR for user-facing changes been opened in cypress-documentation?
  • Have API changes been updated in the type definitions?

@AtofStryker AtofStryker changed the title Fix/revert 0472bb9cdb fix: revert CSP headed and script-src addition Jan 12, 2023
@AtofStryker AtofStryker marked this pull request as ready for review January 12, 2023 18:27
@AtofStryker AtofStryker mentioned this pull request Jan 12, 2023
Closed
@chrisbreiding chrisbreiding removed their request for review January 12, 2023 18:37
@cypress
Copy link

cypress bot commented Jan 12, 2023
edited
Loading


Test summary

4278 0 830 0Flakiness 7

Run details
Project cypress
Status Passed
Commit b4d8ecd
Started Jan 13, 2023 3:45 PM
Ended Jan 13, 2023 4:00 PM
Duration 15:34 💡
OS Linux Debian -
Browser WebKit 16

View run in Cypress Dashboard ➡️

Flakiness

commands/net_stubbing.cy.ts Flakiness
1 network stubbing > intercepting request > can delay and throttle a StaticResponse
2 ... > with `times` > only uses each handler N times
3 network stubbing > waiting and aliasing > can timeout waiting on a single response using "alias"
4 ... > stops waiting when an xhr request is canceled
cypress/cypress.cy.js Flakiness
1 ... > correctly returns currentRetry
This comment includes only the first 5 flaky tests. See all 7 flaky tests in the Cypress Dashboard.

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

@flotwig flotwig changed the title fix: revert CSP headed and script-src addition fix: revert CSP header and script-src addition Jan 12, 2023
@flotwig
Copy link
Contributor

flotwig commented Jan 12, 2023

In the current state, #24760 overwrites current CSP headers. This is an issue with Salesforce domains for example, where Content-Security-Policy=upgrade-insecure-requests becomes Content-Security-Policy=script-src 'nonce-'.

Not that this fixes the other problems with frame-ancestor etc., but #24760 shouldn't have caused the CSP to be overwritten, only extended... so I'd expect this to become upgrade-insecure-requests; script-src 'nonce-<NONCE>'. Agree with everything else here.

@AtofStryker
Copy link
Contributor Author

In the current state, #24760 overwrites current CSP headers. This is an issue with Salesforce domains for example, where Content-Security-Policy=upgrade-insecure-requests becomes Content-Security-Policy=script-src 'nonce-'.

Not that this fixes the other problems with frame-ancestor etc., but #24760 shouldn't have caused the CSP to be overwritten, only extended... so I'd expect this to become upgrade-insecure-requests; script-src 'nonce-<NONCE>'. Agree with everything else here.

I think the overwriting here is a bug. It looks like let policy = cspRegExp.exec('upgrade-insecure-requests') returns null here, when it should be able to parse the header. In the other cases I have seen, script-src is appended to the CSP, which may cause side effects.

@AtofStryker AtofStryker merged commit 478407e into develop Jan 13, 2023
@AtofStryker AtofStryker deleted the fix/revert_0472bb9cdb branch January 13, 2023 15:59
tgriesser added a commit that referenced this pull request Jan 18, 2023
@tgriesser
Merge branch 'develop' into tgriesser/spike/spike
3e305cd 
* develop: (45 commits)
  fix: re-enable CYPRESS_INTERNAL_VITE_DEV development (#25364)
  fix: add skip domain injection description (#25463)
  fix: revert CSP header and script-src addition (#25445)
  chore: Update v8 snapshot cache (#25401)
  feat: Do not strip CSP headers from HTTPResponse (#24760)
  fix: keep spaces in formatted output in test runner (#24687)
  fix: Restrict dependency versions to known supported ranges (#25380)
  chore: Update v8 snapshot cache (#25370)
  feat: experimental skip domain injection (#25307)
  chore: support vite v4 for component testing (#25365)
  feat: Use JSX/TSX in generated spec filenames (#25318)
  docs(angular): Properties that are spied upon have to be defined within `componentProperties` instead of on root level. (#25359)
  chore: remove lint-changed from scripts/docs (#25308)
  chore: bump to 12.3.0 [skip ci] (#25355)
  fix: make NODE_ENV "production" for prod builds of launchpad (#25320)
  fix: .contains() should only return one element at all times (#25250)
  feat: add currentRetry to Cypress API (#25297)
  chore: release @cypress/webpack-dev-server-v3.2.2
  chore: release create-cypress-tests-v2.0.1
  fix: change wording for spec creation (#25271)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flotwig flotwig flotwig approved these changes

@mjhenkes mjhenkes mjhenkes approved these changes

@mschile mschile Awaiting requested review from mschile

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AtofStryker @flotwig @mjhenkes