Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"support older browsers" nonce fix #31

Open
strider72 opened this issue Apr 26, 2018 · 5 comments
Open

"support older browsers" nonce fix #31

strider72 opened this issue Apr 26, 2018 · 5 comments

Comments

@strider72
Copy link

strider72 commented Apr 26, 2018
edited

Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as well. Of course, this is less secure again.

Firefox and Edge ignore the "unsafe-inline" directive if nonces are also called, so this is fine in those browsers; but... I can't determine if Chrome or newer versions of iOS Safari (10+) do the same. Thus, I'm not positive that just adding unsafe-inline is the correct (safe) fix. Worth investigating though.
@paragonie-scott
Copy link
Member

paragonie-scott commented Apr 26, 2018
edited

Are these versions of iOS Safari still supported?

(I'm asking because I don't own any Apple products, so I don't have a frame of reference. This could be an "Internet Explorer 11" bug or an "Internet Explorer 5.5" bug and I wouldn't know which.)

@strider72
Copy link
Author

strider72 commented Apr 27, 2018
edited

Apple seems to come out with a new iOS about every year or so, and the current version is 11 – so iOS 9 certainly isn't new, but not ancient either. Maybe on par with IE 11 or possibly 10.

A lot of people are still on iOS 9 or 10 because certain iPhones and iPads max out at that OS.

I believe it falls within a reasonable “older browsers”. iOS 5 or lower would be analogous to IE 6....

(Edit: more like iOS 1 or 2....)

@strider72
Copy link
Author

Looked it up. iOS 9 was introduced in September 2015

@strider72
Copy link
Author

strider72 commented Apr 27, 2018
edited

Okay, I did some testing with an inline not-nonced Style, and Script, tag. So...
CSP script-src has a nonce set, AND 'unsafe-inline' set to true.
CSP style-src has a nonce set, AND 'unsafe-inline' set to true.

"Pass" means the browser blocked the non-nonced Style and Script. "Fail" means it did not block the non-nonced Style or Script:

  • Firefox 59: PASS

  • Firefox 56: PASS

  • Chrome 66: PASS

  • Edge: PASS

  • Safari 11.1 on Mac (current): PASS

  • Safari on iOS 11 (current): PASS

  • Safari on iOS 10: PASS

  • Safari on iOS 9: FAIL

  • Internet Explorer 11: FAIL

Results:

  1. If your CSP sets default-src to 'none', but style-src or script-src to a nonce, old browsers will fail to run those scripts or styles, because they don't understand nonces and fall back to the default 'none'.
  2. If a browser that does understand CSP nonces has a nonce set AND unsafe-inline set, it ignores the unsafe-inline. (Note: In csp-builder you have to set the unsafe-inline before you set the nonce!) THEREFORE:
  3. To properly support older browsers, when setting nonces you also have to set unsafe-inline.

@Rendez
Copy link

Rendez commented Feb 25, 2019

Hi, this is very interesting. The CSP evaluator also recommends this approach, so we could the unsafe-inline directive be included if a nonce is set and supportOldBrowsers is true?
screenshot 2019-02-25 at 10 23 34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Rendez @strider72 @paragonie-scott