'self' and 'none' values lack quotes
DougReeder opened this issue · comments
To reproduce:
Set helmet with a CSP:
app.use(helmet({contentSecurityPolicy: {
directives: {
sandbox: ['allow-scripts', 'allow-forms', 'allow-popups', 'allow-same-origin'],
defaultSrc: ['self'],
childSrc: ['none'],
connectSrc: ['none'],
baseUri: ['self'],
frameAncestors: ['none'],
},
}}));
Expected result:
All pages have CSP header with ... default-src 'self'; child-src 'none'...
Actual result
All pages have CSP header with ... default-src self; child-src none...
which are interpreted by Firefox as origins named "self" and "none". Thus, the actual CSP is not what is intended.
In the short term:
You need to quote these values yourself. For example, defaultSrc: ["'self'"]
.
In the long term:
It seems reasonable that Helmet would do this for you, as it's unlikely that users intend to use self/none as origins. I'll think about whether this is a better API in future versions. Feedback welcome!
Also encountered:
app.use(helmet({
contentSecurityPolicy: {
directives: {
'script-src': [`'self'`, `'sha256-${serviceWorkerHash.digest('base64')}'`]
}
}
}))
Our current CSP:
script-src 'self' 'sha256-dJ+NYptz3LoT6dbm1JzANoJYN4KGvIEG7mmjqsW9l0Q=';default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Of course this will be a semver-major change unless code is added to wrap the values only if no quote is present and only on the fixed values of "self" and "none". What is the use case for not auto-adding quotes to these? Don't understand what is implied here:
it's unlikely that users intend to use self/none as origins
It's theoretically possible that someone wants to specify self
or none
without quotes. They could have configured one of these as an origin (likely some weird company intranet thing) and deliberately want to allow something like https://self/foo.js
.
However, I think this is so unlikely that Helmet doesn't need to support it. My plan:
- In the current version of Helmet, warn when you try to do this.
- In the next version of Helmet,
auto-quote "self" and "none"throw when you try to do this.