CSP nonce by default #10207
Comments
Safari: #11966 |
|
@rullzer I guess it's related to this topic, but I don't understand enough to know how to fix best. Simply removing the CSP header works, which is fine for me now, but would be great, after work on this is done/NC15 release to have e.g. some page on docs about the minimum CSP entries required to show all Nextcloud core content. This is on Opera developer browser v58, but should be not related. I am open for testing/log reports, in case. |
|
You should not set your own csp headers. Nextcloud does this all automatically. |
|
@rullzer But if I want to set my own CSP headers globally for other/own websites, is it possible to do this without affecting the ones from Nextcloud? Perhaps EDIT: |
skjnldsv
added
the
0. Needs triage
|
I'd vote for closing this now that Edge was superseded by Chromium Edge. |
|
I guess this means to re-open this issue for discussion, doesn't it? Currently the nonce is still only used based on a whitelist:
If compatibility with old Microsoft Edge is not required, then #10205 could be reattempted, switching to a blacklist. But there are a lot of browsers out there, including the mobile variants, so much to test 🙂. |
|
cc @nextcloud/security |
This comment has been minimized.
This comment has been minimized.
ghost
added
the
This comment has been minimized.
This comment has been minimized.
J0WI
added
1. to develop
|
The only reason to not do this would be problems on client side for login flow, so if there are no objections from @nextcloud/android or @nextcloud/ios we can enable it by default. |
|
This should be the relevant support list: https://caniuse.com/contentsecuritypolicy2 |
|
Can I test this somehow before we merge it? |
|
Here is an example about how to define a nonce in an inline CSS block, and a related CSP rule, to block The nonce is intended to be dynamically generated, of course, so attackers cannot just add it to their harmful code. But for testing, it should be possible to just define both statically. |
|
I am to n00b to have an idea how to put this in our login flow. Other places that clients use, which are served by served are |
|
What is the lowest webview we support? For all features to work with nonce we would need at least android webview 54 & safari 15.4. If this does not work for our supported clients, how about moving to a blacklist instead of the whitelist and putting in our client UA? |
I was just thinking to test this outside of Nextcloud, with a single
Did you test this? Or is something aside of CSP2 required? For CSP2, caniuse says Safari 10 is sufficient, and Chromium 40, which should also equal webview 40. However, for Android 5, there is a very webview available, while for Android 4.4, AFAICS, it is stuck below version 40. So if this information was true, we would require Android 5+ in any case, which does not sound alike a problem to me. EDIT: Ah yes, it seems in Android 4.4, webview was hardcoded in the OS, while only from Android 5 on, it can be updated via PlayStore. This would explain the large version difference: https://stackoverflow.com/questions/40188745/include-the-latest-webview-in-my-android-app |
I think I have them still working. |
|
BTW I saw we only support Android 6+ officially -> So this should be good :) |
@tobiasKaminsky Then the docs are outdated they say 6+: |
|
At least Talk is still 6+ |
|
I mean it is of course possible that people run older webview on newer Android, theoretically. Let's see Chromium (=webview) and Android release dates:
So oldest webview possible on Android 6 is probably v46. On Android 7 probably v53. If CSP2 is all that is needed, webview 40 should be sufficient, but probably there is another feature which requires v54 as you sais @susnux ? However, with PlayStore and all, it is pretty unlikely and a misbehaviour to run such outdated webview, when the very recent is available for all those Android versions, hence I would not see this as blocker. For Safari it is probably a bigger problem, since Safari versions are capped on macOS/iOS versions. Safari 10 wouldn't be an issue, but for Safari 15 one requires at least macOS 10.15 and iOS 15, it seems:https://en.wikipedia.org/wiki/Safari_(web_browser)#Version_compatibility For easier testing, I created a simple test page: https://dietpi.com/nonce/ nonce sources work with styles and scripts only, not with images or other sources directly. So I used some inline CSS for the test. The CSP rule block all styles but those with Header always set Content-Security-Policy "style-src 'nonce-testnonce'"The HTML document contains an image of a feather and one inline style without the nonce, which hides the image. Another inline style with the nonce, inverts the image colours, hence turns it into black. Hence, if the feather remains white, nonce sources are not supported. And if no image is shown, CSP is not supported at all. Hence, if you see a black feather, all is good, CSP2 and nonce sources are supported. <!DOCTYPE html>
<html>
<head>
<style>img { display: none }</style>
<style nonce="testnonce">img { filter: invert(1) }</style>
</head>
<body>
<h1>This page is for testing CSP2 and nonce source support.</h1>
<h2>
If your browser supports CSP, then you should see a feather below, else it would be hidden.
<br>If your browser supports CSP2 with nonce sources, then the feather should be black, else it>
<br>Hence, if you see a black feather below, all is good :)!
</h2>
<img src="/images/slider_feather.png">
</body>
</html>Ah, if the image remains white, it could also mean that CSS |
|
Would it be a lot of work to put the changes in a server PR so we can test against different iOS/Android versions? |
|
@SystemKeeper |
Try this one: #44412 |
In #10205 I tried to always add the CSP nonce.
As most browsers if unsafe-inline is there and a nonce will ignore the unsafe-inline. This is the CSPv3 backwards compatibility idea.
However this seems to break on Edge. As edge doesn't properly parse the nonce on external resources.
We should investigate how to enable the nonce on more browsers.
The text was updated successfully, but these errors were encountered: