New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP nonce cached on pages when disabling unsafe-inline #38615
Comments
Hi @Dnd-Coch. Thank you for your report.
Join Magento Community Engineering Slack and ask your questions in #github channel. |
Hi @engcom-November. Thank you for working on this issue.
|
Hello @Dnd-Coch, Thank you for the report and collaboration! This issue is not reproducible in 2.4-develop. Please take a look at the screenshot : Please let us know if we are missing anything. Thank you. |
@engcom-November: you can't test this yet on 2.4-develop, some code which was released in 2.4.7 isn't merged yet into 2.4-develop, you should either test with 2.4.7, or wait until the merge has happened. |
✅ Jira issue https://jira.corp.adobe.com/browse/AC-11805 is successfully created for this GitHub issue. |
✅ Confirmed by @engcom-November. Thank you for verifying the issue. |
❌ You don't have permission to export this issue. |
@magento I am working on this |
I have tested on my local Magento 2.4.7. I modified the method @Dnd-Coch although doing accurately what you told us to seems to resolve the issue, I'd like to understand if this recommendation is just an example amongst others that I may have to discover? The question from now is: is there a way to perform all the use cases to test this change better? |
Hi, I think I have the nonce replaced by the sha256 number: the change is as simple as swapping the nonce generation code for the sha one.
Whilst the csp config is in report mode and the inline javascript is not allowed (see config below), I could see an error in my console once the cache was cleared
Then to remove the error, I have 3 solutions:
The above above consists in leaving the inline javascript as it is and adding the whitelist rule manually. It is convenient for legacy code
|
I put the fix in a separate comment here:
to
|
Hello @digitalrisedorset, Swapping nonce and hash logic won't work because the nonce approach must be used in the checkout page. Actually, nonce takes precedence over hashes for scripts once This could be addressed by adding a configuration to enable nonce usage, something like: <policies>
<storefront_checkout_index_index>
<scripts>
<inline>0</inline>
<event_handlers>1</event_handlers>
<nonce>1</nonce>
</scripts>
</storefront_checkout_index_index>
</policies> This config would be used to conditionally apply nonce logic: if ($tagData->getTag() === 'script'
&& $this->isNonceEnabled(self::$tagMeta[$tagData->getTag()]['id'])
) { The ideal scenario would be to have a switch based on page cacheability instead of a configuration, but I don't know if it is even possible:
|
We have no choice but to use nonces in some cases. For example the Paypal JS SDK requires a nonce or it can't be used with CSP. This is true for several other libraries as well. We are looking into this. |
After some review including the old architecture document from a previous member of my team, I'm not understanding the impact. The nonce is cached but it's not clear how that is impacting anybody. Hackers would need to know what the random nonce will be in order for their malicious script to be cached with the correct nonce. Is there another problem as a result of the cached nonce? |
Thank you both, I have now added the cacheable logic, it starts now to make a lot of sense. The implementation I have come up with was on Magento 2.4.7. I understand we are not ready to add it on develop. Are you able to guide me on the next steps? However, I have added a PR on the develop branch (see #38637). Please let me know if this PR is fine to go or should I close it for now? |
Nonces are intended to be unique per request. Caching a nonce defeats this purpose, as it becomes shared across multiple users on FPC enabled pages. While it's certainly true that exploiting a cached nonce would be much more difficult for hackers compared to no nonce at all, there's still a potential vulnerability. Nonces are designed to be one-time-use values, eliminating the risk of reuse altogether. Having them cached introduces a small window of opportunity for a sophisticated hacker with significant knowledge about the caching mechanism. You may find some technical details in this study. |
I cannot find any information including in that study that shows that caching a unique nonce per-page presents any notable security risk. If something causes the underlying page content to be refreshed (like adding a new script) which invalidates the FPC, a new nonce is generated and cached again. All of the CSP studies I can find talk about not caching them across a session and multiple pages. In fact, in some cases it's required for example a SPA has to have the same none for the entire loaded application. |
In my understanding, some attacks do not necessary need the page content to be refreshed. For example, with DOM-based XSS, the HTTP response of the page itself does not change but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
|
This just explains the principle that the hacker would need some way to inject the payload into the page for other users without causing the FPC to be invalidated. Fundamentally that's true but doesn't explain how that would work in the specific product.
|
There is no automated tests at this time but the fix was added in the 2.4-develop branch and I verified both 2.4.7 and 2.4-develop had this issue. |
Now i get the same CSP error as you guys I expect scripts added from Magento admin to work like in 2.4.6 Upgrading from 2.4.6 to 2.4.7 a website with many vendor module and many tracking script will cause multiple CSP errors in the checkout. A temporary fix can be overriding this file in your custom module
|
Yes, upgrading is going to be difficult but we do not have a choice for this change. This is a new PCI 4 requirement going into effect March of 2025. You will have to comply with this or risk failing the audit moving forward. Please check with your auditor about PCI 4 requirement 6.4.3 for more information. You can change the configuration but to be clear it will be in violation of PCI. Since this thread is turning into a complaint about the feature and not a discussion of the specific issue of nonce caching, I'm going to close this issue unless somebody can raise a clear issue that addresses my points from previous comments. |
@nathanjosiah there is a PR for this requirement. As far as I see it, what you have asked for is part of the PR changes. These discussions did appear to be making noises rather than anything. Can we not just get the PR changes reviewed before we close this issue? |
@nathanjosiah Failing to explain how that would work on the specific product, we simply propose to prevent it from happening. Disabling the FPC was never an option. According to @digitalrisedorset's PR, it seems possible to make sure the page is not cacheable before generating a nonce. If the page is cacheable, hashes are used instead. I don't understand why this issue has been closed, just because a comment was off-topic... |
This is the issue we have. This doesn't work for cases where a nonce is required. PayPal SDK is used on every page and is not possible to use hashes because of how they implemented it. The same is true for several other libraries like Adobe Runtime, Google Tag Manager, Payment Services, and more. Also, we cannot simply use hashes for everything. It causes the header to be too large and it crashes most reasonable implementations of Varnish and also the application itself. We have also had floods of complaints about our header size from the Magento Tags header and that's before the CSP changes which forces hashes. |
Preconditions
etc/config.xml
:Steps to reproduce
etc/config.xml
of a custom moduleContent-Security-Policy-Report-Only
HTTP header of the pageExpected result
unsafe-inline
expression is not present in thescript-src
policyscript-src
policyActual result
unsafe-inline
expression is not present in thescript-src
policyscript-src
policy instead of hashesAs it is mentioned in this architecture document, the nonce approach is incompatible with Magento's page cache.
So the fact that nonce takes precedence over hashes in this method
\Magento\Csp\Helper\InlineUtil::processTag
is a problem for merchants who want to remove theunsafe-inline
expression of their policies to improve overall security.Nonce should be generated only for non-cacheable pages.
Examples
See
\Magento\Csp\Helper\InlineUtil::processTag
method.Proposed solution
No response
Release note
No response
Triage and priority
The text was updated successfully, but these errors were encountered: