Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

webapp meteor/browser-policy can't find a way to set nonce #11031

Open
ivan133 opened this issue Apr 27, 2020 · 3 comments
Open

webapp meteor/browser-policy can't find a way to set nonce #11031

ivan133 opened this issue Apr 27, 2020 · 3 comments

Comments

@ivan133
Copy link

@ivan133 ivan133 commented Apr 27, 2020

This bug report should include:

  • A short, but descriptive title. The title doesn't need "Meteor" in it.
  • The version of Meteor showing the problem.
    I'm using meteor 1.10.1
  • The last version of Meteor where the problem did not occur, if applicable.
    Not sure
  • The operating system you're running Meteor on.
    Ubuntu Linux 18.04
  • The expected behavior.
    I'm setting nonce in CSP using browser-policy like this
import { BrowserPolicy } from 'meteor/browser-policy';
import { Random } from 'meteor/random';
export const nonce = Random.id();
BrowserPolicy.content.allowScriptOrigin(`nonce-${nonce}`);

I expect it to be added as is:
"script-src 'self' nonce-zhmhehgjftfs6cmbx

Is there a way to set it up without http?

  • A simple reproduction!
    (example: A GitHub repository that anyone can clone to observe the problem.)
@ivan133
Copy link
Author

@ivan133 ivan133 commented Apr 28, 2020

If it's a wrong place to submit this issue please guide me where is the best place to submit it.
As far as I understand meteor/browser-policy doesn't have standalone repository and a part of webapp package (https://github.com/meteor/meteor/tree/master/packages/webapp)

@ivan133
Copy link
Author

@ivan133 ivan133 commented Apr 29, 2020

I guess this is the function to blame

var addSourceForDirective = function (directive, src) {
  if (_.contains(_.values(keywords), src)) {
    cspSrcs[directive].push(src);
  } else {
    var toAdd = [];

    //Only add single quotes to CSP2 script digests
    if (/^(sha(256|384|512)-)/i.test(src)) {
      toAdd.push("'" + src + "'");
    } else {
      src = src.toLowerCase();

      // Trim trailing slashes.
      src = src.replace(/\/+$/, '');

      // If there is no protocol, add both http:// and https://.
      if (! /^([a-z0-9.+-]+:)/.test(src)) {
        toAdd.push("http://" + src);
        toAdd.push("https://" + src);
      } else {
        toAdd.push(src);
      }
    }

    _.each(toAdd, function (s) {
      cspSrcs[directive].push(s);
    });
  }
};
@filipenevola
Copy link
Member

@filipenevola filipenevola commented May 21, 2020

Hi @ivan133 are you willing to write a PR to solve this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.