Nonce property for inline scripts? (CSP)

permb · September 27, 2019, 1:49pm

Hi,

Has anyone tried to add a nonce property to inline scripts created and served by a meteor app to get to a state where unsafe-inline can be purged from the script-src part of the CSP (Content Security Policy)?

It would need to be generated for each http request and inserted as an attribute to all inline scripts.
I saw that webpack has some support for this, but I’m using the built-in Meteor packaging.

vlasky · September 28, 2019, 7:42am

I am working on this exact task right now for one of our Meteor apps.

In production mode, the bundler concatenates almost all client-side javascript in the application into a single minified javascript include file which does not need a nonce or sha-256 hash.

The only block that needs a sha-256 hash is the inline script that sets the variable meteor_runtime_config.

You can use the following line of code on the server side to calculate the sha-256 hash of that variable and use it to configure the CSP script-src header:

runtimeConfigHash = crypto.createHash('sha256').update(`__meteor_runtime_config__ = JSON.parse(decodeURIComponent("${encodeURIComponent(JSON.stringify(__meteor_runtime_config__))}"))`).digest('base64');

Most people use the browser-policy atmosphere package or node.js helmet package for generating CSP headers in their Meteor webapp.

Unfortunately we still don’t have a solution to avoid the need for ‘unsafe-inline’ in the CSP style-src header because most apps need to dynamically modify the DOM.

To solve this problem, Meteor would need a special function or other mechanism to generate HTML style blocks that contain a nonce.

permb · September 28, 2019, 10:34am

Thanks for the pointers.

I use my own code to set CSP headers since meta attributes using helmet don’t cover all settings, using a line of code copied from the browser-policy package and then I have some conditionals of my own depending on Meteor.isDevelopment and some s3 storage bucket urls used to serve images.

import { WebApp } from "meteor/webapp";
import { NextHandleFunction } from "connect";

const cspHandler: NextHandleFunction = function(req, res, next) {
  const s3StorageUrl = getStorageBaseUrl();
  const webSockUrls = Meteor.isDevelopment
    ? "ws://localhost:3000 wss://redacted.ngrok.io"
    : "wss://test.redacted wss://app.redacted";

  const contentSecurityPolicy = `
    default-src 'none';
    img-src 'self' data: blob: https://storage.googleapis.com ${s3StorageUrl} https://media.licdn.com  https://www.google-analytics.com  https://stats.g.doubleclick.net;
    script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://www.gstatic.com;
    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com;
    connect-src 'self' ${webSockUrls} https://api.mixpanel.com  https://www.google-analytics.com  https://stats.g.doubleclick.net https://engine.montiapm.com/;
    font-src 'self' data: https://fonts.gstatic.com;
    frame-ancestors 'none';
    base-uri https://test.redacted https://app.redacted;
    report-uri https://redacted.report-uri.com/x/y/enforce;
  `.replace(/\n/g, " "); // Headers cannot contain newlines
  res.setHeader("Content-Security-Policy", contentSecurityPolicy);
  res.setHeader("Referrer-Policy", "no-referrer");
  res.setHeader("X-Content-Type-Options", "nosniff");
  if (req.headers["x-forwarded-proto"] === "https") {
    res.setHeader("strict-transport-security", "max-age=31536000");
  }
  next();
};

export const installCSPHook = () => {
  // Copied from https://github.com/meteor/meteor/blob/devel/packages/browser-policy-common/browser-policy-common.js
  WebApp.rawConnectHandlers.use(cspHandler);
};

Ideally I’d like to have CSP turned on also in development mode for testing so then I’d want to insert a nonce for the uncompiled scripts.

permb · September 28, 2019, 10:37am

And as far as style-src goes, I think I’m toast since I’m using React anyway

vlasky · September 30, 2019, 7:12am

A small tweak to my previous code snippet. The client-side value of meter_runtime_config has an additional value “isModern”: true appended to the end, so this code incorporates that to ensure the correct sha-256 hash is calculated.

const runtimeConfigClient = Object.assign(__meteor_runtime_config__, {"isModern": true});
const runtimeConfigHash = crypto.createHash('sha256').update(`__meteor_runtime_config__ = JSON.parse(decodeURIComponent("${encodeURIComponent(JSON.stringify(runtimeConfigClient))}"))`).d
igest('base64');

permb · September 30, 2019, 10:01am

I think that somehow extending/patching/overriding the internal Boilerplate package would be the best solution (that’s where the inline script code is generated).

Unfortunately the code doesn’t look very patchable to me…

vlasky · October 11, 2019, 12:48am

Unfortunately further testing showed that this approach was not reliable. The variable meteor_runtime_config changes based on the type of client (i.e. browser version, desktop/mobile).

I have created an issue on Github suggesting a robust approach to fix this.

github.com/meteor/meteor

Fix CSP violation for code that sets variable __meteor_runtime_config__

opened 10:37PM - 10 Oct 19 UTC

closed 09:34AM - 07 Mar 20 UTC

vlasky

At the moment, Meteor users are forced to weaken their Content Security Policy b…y setting `script-src 'unsafe-line'` because Meteor inserts an inline script right after the HTML body tag that sets the variable `__meteor_runtime_config__` and the inline script does not have a sha-256 hash or a nonce. Example: ``` <body> <script type="text/javascript">__meteor_runtime_config__ = JSON.parse(decodeURIComponent("%7B%22meteorRelease%22%3A%22METEOR%401.8.1%22%2C%22gitCommitHash%22%3A%22b33f59abbc33a3775913a32688025e8cd407d0e9%22%2C%22meteorEnv%22%3A%7B%22NODE_ENV%22%3A%22production%22%2C%22TEST_METADATA%22%3A%22%7B%7D%22%7D%2C%22PUBLIC_SETTINGS%22%3A%7B%22env%22%3A%22Production%22%7D%2C%22ROOT_URL%22%3A%22https%3A%2F%2Fmymeterapp.com%2Fmyapp%22%2C%22ROOT_URL_PATH_PREFIX%22%3A%22%2Fmyapp%22%2C%22autoupdate%22%3A%7B%22versions%22%3A%7B%22web.browser%22%3A%7B%22version%22%3A%22bbe3e8df360739eca09be771b0b17854907ca5d3%22%2C%22versionRefreshable%22%3A%229b33f8fa391a81e22d7990a442924cf675d48ac8%22%2C%22versionNonRefreshable%22%3A%2234e081c8deb6b15d9acf6f05b1ecd422acd695cd%22%7D%2C%22web.browser.legacy%22%3A%7B%22version%22%3A%22f33d5526e7e135806b6f15b377fa4f35007910b6%22%2C%22versionRefreshable%22%3A%229b33f8fa391a81e22d7990a442924cf675d48ac8%22%2C%22versionNonRefreshable%22%3A%22b1c5a67a98b81d64235116636b5b30d7a4890e56%22%7D%7D%2C%22autoupdateVersion%22%3Anull%2C%22autoupdateVersionRefreshable%22%3Anull%2C%22autoupdateVersionCordova%22%3Anull%2C%22appId%22%3A%22zdem5b1w3gkqh8qfthu%22%7D%2C%22appId%22%3A%22zdem5b1w3gkqh8qfthu%22%2C%22accountsConfigCalled%22%3Atrue%2C%22isModern%22%3Atrue%7D"))</script> ``` The normal way of avoiding the need for a sha-256 hash or nonce is to move the inline script to an external .js file and include that from the main file. In Meteor's case it is not that easy because the `__meteor_runtime_config__` variable is dynamically generated, so it cannot be served as a static .js asset. In production, most of us have configured our web servers to directly serve files with the .js extension and other static assets without passing the request to Meteor. To deal with this, Meteor must serve `__meteor_runtime_config__` from a new special URL that does not have a .js prefix. Perhaps something like this: `/ROOT_URL/__meteor_runtime_config__/?hash=xxxxxxxxxxxxxx` When this URL is accessed, Meteor will dynamically generate the script code on the server-side and set the HTTP Header `Content-Type` to `"text/javascript"` Here's an example of how it could look with this approach that avoids the need for the weakened policy `script-src 'unsafe-line'` ``` <body> <script type="text/javascript" src="/ROOT_URL/__meteor_runtime_config__/?hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"></script> ```

vlasky · February 5, 2020, 7:30am

Turns out that support for loading the variable meteor_runtime_config from a separate .js file meteor_runtime_config.js was there all along, but not documented.

In your source code, you need to add the following include line:

import { WebAppInternals } from "meteor/webapp";

Then in a Meteor.startup() block, you need to add

WebAppInternals.setInlineScriptsAllowed(false);

Once you’ve done this, the variable meteor_runtime_config will no longer be loaded inline and you can remove the CSP policy ‘unsafe-inline’ from your script-src setting.

vlasky · February 12, 2020, 11:23am

For the record, I want to clarify that if you are using the browser-policy package, you do not need to call WebAppInternals.setInlineScriptsAllowed(false).

Instead, call BrowserPolicy.content.disallowInlineScripts(), which internally invokes the above function.

The reason why we don’t use browser-policy in our Meteor webapps is because we are using Nginx to terminate the connection and we are setting our HTTP response headers there.

We also feel this is more secure as it avoids the risk of someone accidentally or maliciously disabling or weakening the Content Security Policy by tampering with the source code of our Meteor app.

opxaholmes · June 2, 2020, 11:14pm

Not sure where you found this, but it seems very important. Thanks!