1612923 - CSP sniff nonce and include other javascript

Status: RESOLVED DUPLICATE of bug 1374612

(Core :: DOM: Security, defect)

Description

[Andrea Serra]

Attachment: nonce-sniff.tar.gz

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

I have setted this CSP:
Content-Security-Policy: "default-src 'self'; script-src 'nonce-r4nd0m'; style-src 'nonce-r4nd0m'"

In this way only scripts with the nonce will be considered valid, and if one of them tries to include a second javascript file, then it must be blocked. But if we recover the nonce from a js element present in the DOM, we can include a second or more javascript files.
The code to sniff a nonce and insert a js file is:

/* sniff script nonce from DOM */
var scriptNonce = document.getElementsByTagName('script')[0].getAttribute('nonce');

/* init malicious script /
var evilScript = document.createElement('script');
/ set script attribute /
evilScript.src = '/js/evil.js';
evilScript.type = "text/javascript";
/ insert sniffed nonce /
evilScript.setAttribute('nonce', scriptNonce);
/ append malicious script on body */
document.body.appendChild(evilScript);

Actual results:

It is possible to include additional javascript files by sniffing the nonce from the DOM, although the 'strict-dynamic' directive has not been specified on the CSP.

Expected results:

The script included through nonce sniffing must be blocked, unless the 'strict-dynamic' has been specified on the CSP.

Comment 1

[Andrea Serra]

I found the same problem in the latest versions of firefox for Android and iOS.

Comment 2

[Daniel Veditz [:dveditz]]

This is a known problem.

Comment 3

[Andrea Serra]

(In reply to Daniel Veditz [:dveditz] from comment #2)

This is a known problem.

*** This bug has been marked as a duplicate of bug 1374612 ***

I don't think hiding the nonce is a good solution, it would be better to block the inclusion of a script in case the CSP are set, and the strict-dynamic is not specified.