Closed Bug 1425045 Opened 8 years ago Closed 8 years ago

Not work Content-Security-Policy: img-src with nonce-<base64-value>

Categories

(Core :: DOM: Security, enhancement)

Product:
Core
Component:
DOM: Security
Platform:
All
Other
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: Scrum, Unassigned)

Details

(Whiteboard: [specification][type:bug])

What did you do? ================ 1. I pass in the headers `'Content-Security-Policy': img-src 'nonce-2726c7f26c'` 2. set attribute nonce in img tag `<img nonce="2726c7f26c" src="/static/18964189_3395444665.jpg" alt="">` What happened? ============== Browser blocked my img Content Security Policy: Page settings blocked the download of the resource http://localhost:3000/static/18964189_3395444665.jpg («img-src 'nonce-2726c7f26c'»). What should have happened? ========================== Browser show me img Is there anything else we should know? ====================================== i heve domo on github https://github.com/inside-demo/express-posthtml-demo
Hi Scrum, It looks like your img tag is missing a nonce here: https://github.com/inside-demo/express-posthtml-demo/blob/ecb519cdf9f143fd56a18886cc6eb269449cd8e4/views/index.html#L10 Does adding one fix the problem? Also, in a production application you'll want to generate a unique nonce instead of hardcoding one.
Flags: needinfo?(Scrum)
Hi Greg Guthe [:g-k] > Does adding one fix the problem? No, i corrected the example. Sorry, I correctly described the problem but provided an incorrect example. > Also, in a production application you'll want to generate a unique nonce instead of hardcoding one. Yes, I understand this, now I want to understand what it does
Flags: needinfo?(Scrum)
I still don't see a nonce on that img tag.
sorry forgot to push. Now example corrected.
I forked Scrum's example repo, reproduced the error, and worked on a static minimal example using a CSP meta tag in https://github.com/g-k/express-posthtml-demo/blob/master/views/index.html From what I can tell nonce img-srcs are allowed in the CSP 2 and 3 specs, but the discussion in https://github.com/w3c/webappsec-csp/issues/116 seems to suggest it isn't implemented and I see the same exception on Nightly, Chrome, and Safari. :ckerschb would know if it's implemented in Fx, but it looks like we might want to update MDN.
Cool, thanks :)
Is there a better component for this issue? It seems that this is not a vulnerability on https://developer.mozilla.org, but instead a Firefox bug or a documentation need.
Group: websites-security → core-security
Component: Security → DOM: Security
Product: Mozilla Developer Network → Core
Currently nonces and hashes only apply to <script> and <style>. See https://w3c.github.io/webappsec-csp/#match-element-to-source-list step 3 (and other references in the spec).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Group: core-security
Do you think we should move (or copy with minor changes) this explainer: > Note: Nonces only apply to inline script and inline style, not to attributes of either element. From "6.6.2.3. Does element match source list for type and source?" to "6.6.2.1. Is element nonceable?" If so, I can open up an issue and PR for it on GitHub. Note that there is an open about allowing nonces on other elements: https://github.com/w3c/webappsec-csp/issues/116 Without either objections or progress.
You need to log in before you can comment on or make changes to this bug.