Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content-Security-Policy reportURI cannot be relative #52

Open
2 tasks done
1aerostorm opened this issue Dec 12, 2021 · 0 comments
Open
2 tasks done

Content-Security-Policy reportURI cannot be relative #52

1aerostorm opened this issue Dec 12, 2021 · 0 comments
Labels
Type: 4. Bug

Comments

@1aerostorm
Copy link

1aerostorm commented Dec 12, 2021
edited

馃挬 Bug Report

A summary of the bug

next-secure-headers crashes if you try to use a relative URL in reportURI.

Here you can see what next-secure-headers is using URL for that directive:
https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/content-security-policy.ts#L197
https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/shared/uri-encoder.ts
And it is a bad idea.

Current behavior

Currently it crashes the server on its start:

ready - started server on 0.0.0.0:3000, url: http://localhost:3000
TypeError [ERR_INVALID_URL]: Invalid URL
    at new NodeError (node:internal/errors:363:5)
    at onParseError (node:internal/url:536:9)
    at new URL (node:internal/url:612:5)
    at encodeStrictURI (/home/my/ui-auth/node_modules/next-secure-headers/lib/rules/shared/uri-encoder.js:4:34)
    at Array.map (<anonymous>)
    at convertReportingDirectiveToString (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:109:62)
    at createContentSecurityPolicyOptionHeaderValue (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:127:9)
    at Object.createContentSecurityPolicyHeader (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:139:19)
    at Object.createHeadersObject (/home/my/***/node_modules/next-secure-headers/lib/index.js:18:23)
    at createSecureHeaders (/home/my/***/node_modules/next-secure-headers/lib/index.js:37:35) {
  input: '/api/csp_violation',
  code: 'ERR_INVALID_URL'
}

To Reproduce

Create following next.config.mjs

import { createSecureHeaders, } from 'next-secure-headers';

let cspDirectives = {
    defaultSrc: "'self'",
    styleSrc: ["'self'", "https://stackpath.bootstrapcdn.com"],
}; // any directives
cspDirectives.reportURI = '/api/csp_violation';

export default {
    async headers() {
        return [
            {
                source: '/(.*)',
                headers: createSecureHeaders({
                    contentSecurityPolicy: {
                        directives: cspDirectives,
                    },
                    referrerPolicy: 'no-referrer',
                }),
            },
        ];
    },
}

And run yarn run dev.

Expected behavior

No crash.

Helmet allows relative report-uri in CSP (e.g /api/csp_violation).

Also, specification allows such URIs:
https://w3c.github.io/webappsec-csp/#directive-report-uri
https://datatracker.ietf.org/doc/html/rfc3986#section-4.1

Environment

  • This project version(s): v2.2.0
  • Nodejs version: v16.3.0
  • OS: Ubuntu 16.04
  • I've tried to find similar issues
  • I would like to work on a fix 馃挭馃徎
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: 4. Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@1aerostorm