[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

Sat Mar 30 20:35:52 UTC 2019

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
 Reporter:  tomdxw                   |       Owner:  johnbillion
     Type:  enhancement              |      Status:  accepted
 Priority:  normal                   |   Milestone:  5.3
Component:  Security                 |     Version:  4.8
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-refresh  |     Focuses:  javascript
-------------------------------------+--------------------------

Comment (by alinod):

 Replying to [comment:31 jadeddragoon]:
 > Replying to [comment:29 mallorydxw]:
 > > If the server sends `Content-Security-Policy: script-src 'nonce-
 123abc'` then the client will only execute scripts if the opening script
 tag contains `nonce="123abc"`. This example would be impossible unless the
 attacker was able to guess the nonce value.
 >
 > That would be true **''if the JavaScript was not templated via PHP''**.
 But ''**client-enforced**'' CSP cannot see what's happening in the PHP
 code on the ''**server**''. I already explained how this works in my last
 post. By templating JS via PHP wordpress does and has always provided a
 means of JS injection. Because templating === injection. This is why
 WordPress has such a bad reputation for XSS exploits. And you're providing
 a means to make sure all the templated JS has valid nonces. That means
 that if someone manages to insert their own code into the templated JS by
 exploiting poorly formed PHP... **the XSS JS code ''will'' be in a script
 tag that has a valid nonce**. You're actually **''removing''** the need
 for the attacker to guess the nonce by adding it for them.
 >
 > Replying to [comment:30 mallorydxw]:
 > > By the way, the proof-of-concept plugin I mentioned in the description
 of the report is here now as I changed my github username:
 https://gist.github.com/mallorydxw/e2aee45ad5cb2a309c6bd0fc213efb97
 >
 > This would be even worse! With this they don't even have to find
 templated js that explicitly requests a nonce nor request one
 themselves... even existing WordPress XSS exploits can take advantage and
 future exploits don't have to ask for the nonce specifically.

 I sincerely hope that people are actually listening to @jadeddragoon here.
 The objective here is not to get a good security rating, but just plain
 better security.  Automatically flagging all inline JS as safe so that you
 can remove the unsafe-inline is no more secure than having the 'unsafe-
 inline' directive.  And it is actually worse because it hides the
 vulnerability.

 It's like Volkswagen designing cars that modify their behaviour during
 emission tests to get a clean rating.

 You can't make a system more secure by hiding its weaknesses.
 Furthermore, it removes the incentive for actually addressing the
 underlying problem because they are no longer getting the warnings that
 CSP was designed for.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:32>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform