Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(CSP): Add CSP nonce by default and convert browserSupportsCspV3 to blacklist #44412

Merged
merged 1 commit into from
Mar 26, 2024
Merged

fix(CSP): Add CSP nonce by default and convert browserSupportsCspV3 to blacklist #44412

merged 1 commit into from
Mar 26, 2024

Conversation

susnux
Copy link
Contributor

@susnux susnux commented Mar 22, 2024

Summary

Every modern browser ("modern" like every version since 2013 (over 10 years now!)) support the nonce src.
So we should add it by default and only keep a blacklist instead.

This way even users with for us unknown user agents get the more secure version.

Checklist

@susnux susnux added bug 3. to review Waiting for reviews labels Mar 22, 2024
@susnux susnux added this to the Nextcloud 29 milestone Mar 22, 2024
@susnux susnux requested review from SystemKeeper, juliusknorr, tobiasKaminsky, a team, ArtificialOwl, Altahrim and sorbaugh and removed request for a team March 22, 2024 15:06
@susnux susnux mentioned this pull request Mar 22, 2024
Closed
@SystemKeeper
Copy link
Contributor

Tested with Talk iOS on iOS 15.5 and 17.0 and both worked for me.

MichaIng
MichaIng approved these changes Mar 23, 2024
View reviewed changes
Copy link
Member

@MichaIng MichaIng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since IE is not (officially) supported by Nextcloud anymore, even the blacklist might not be needed. But good to have the facility, so we can add further entries in the unlikely but possible case that there are other browsers not supporting CSP nonce sources.

@Altahrim Altahrim mentioned this pull request Mar 25, 2024
Merged
@susnux
fix(CSP): Add CSP nonce by default and convert browserSupportsCspV3
5a513c9 
… to blocklist

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the fix/add-csp-nonce-by-default branch from 60428fc to 5a513c9 Compare March 26, 2024 16:08
@susnux susnux enabled auto-merge March 26, 2024 16:08
@Altahrim Altahrim added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Mar 26, 2024
@susnux susnux merged commit 0cb691d into master Mar 26, 2024
167 checks passed
@susnux susnux deleted the fix/add-csp-nonce-by-default branch March 26, 2024 17:06
@susnux susnux mentioned this pull request Apr 17, 2024
Closed
8 tasks
@joshtrichards joshtrichards mentioned this pull request Aug 29, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Altahrim Altahrim Altahrim approved these changes

@MichaIng MichaIng MichaIng approved these changes

@skjnldsv skjnldsv skjnldsv approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@SystemKeeper SystemKeeper Awaiting requested review from SystemKeeper

@tobiasKaminsky tobiasKaminsky Awaiting requested review from tobiasKaminsky

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl was automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh was automatically assigned from nextcloud/server-backend

Assignees
No one assigned
Labels
4. to release Ready to be released and/or waiting for tests to finish bug
Projects
None yet
Milestone
Nextcloud 29
Development

Successfully merging this pull request may close these issues.

CSP nonce by default
6 participants
@susnux @SystemKeeper @Altahrim @juliusknorr @skjnldsv @MichaIng