Comments (2)
I think we should make this change, but I'm not sure what the impact is on existing JS libraries. We're going to have to coordinate fixing Rails along with the corresponding JS libraries. If someone wants to handle that work, I'd really appreciate it!
from rails.
While I'm not too sure how this type of attack vector could be exploited, or used (have no working exploit)
I think this is dependant on whether the nonce is random per request or not. The W3C Content Security Policy standard says it must be:
Nonces override the other restrictions present in the directive in which they’re delivered. It is critical, then, that they remain unguessable, as bypassing a resource’s policy is otherwise trivial.
If a server delivers a nonce-source expression as part of a policy, the server MUST generate a unique value each time it transmits a policy. The generated value SHOULD be at least 128 bits long (before encoding), and SHOULD be generated via a cryptographically secure random number generator in order to ensure that the value is difficult for an attacker to predict.
Since #43227 generated app initializers and Rails guide recommended to use the session identifier so it plays more nicely with caching. To my understanding of the issue: if this advice is followed and the app is vulnerable to XSS, the exfiltrated nonce can be used to bypass the CSP and complete the XSS attack.
Abusing the nonce to not be a 'number used once' in this way seems to be using the wrong part of CSP for solving the issue with caching. CSP can also allows script using hashes. This web.dev article calls hashes out explicitly for being the appropriate solution for cached pages.
The proposed fix to prevent exfiltration is called out in the CSP standard (linking to https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes) so to that seems to be a good idea regardless of CSP hash support in Rails.
from rails.
Related Issues (20)
- Activerecord: Insert fails on composed_primary_key model with id as not null Identity column
- procfile causes failure on Rails 8.0 HOT 7
- Rails 7.1 changes established database connection after calling `rails db:test:prepare` for multi-database apps HOT 4
- Storage folder seems like it is sometimes not needed
- Storage folder sometimes doesn't need Kamal configuration in Rails 8.0.0.alpha HOT 1
- Content-Type parsing breaks on valid test cases HOT 4
- PostgreSQL Apache AGE Rails (GraphDB driver questions / problems) HOT 6
- s
- Release 7.0.8.2 contains broken trix.css HOT 2
- Queries generated incorrectly in class methods HOT 2
- Order of operations for saving nested associations has changed in Rails v7.2 with automatically_invert_plural_associations enabled HOT 2
- rescue_from not working with subscribed method on ActionCable channel HOT 2
- Production rails server does not boot if skipping action cable in Rails 8.0.0.alpha HOT 2
- Generate Migration - Rename Table HOT 6
- Rails 7.1 Transactional tests, threaded code and schema caching can cause deadlocks HOT 2
- /Users/amol/.rvm/gems/ruby-2.5.1/gems/activerecord-5.0.2/lib/active_record/connection_adapters/mysql2_adapter.rb:68: [BUG] Segmentation fault at 0x94000f78d65f0300 ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin23] HOT 1
- Support enum in tableless model HOT 4
- `ActiveStorage::Attachment` - Unhandled case where `named_variants` can be `nil`
- `ActiveSupport::BroadcastLogger` with `ActiveSupport::TaggedLogging` throws `no implicit conversion of String into Integer (TypeError)` HOT 1
- Guides: Explain reset_column_information in Chapter "Migrations and Seed Data"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rails.