'self' and 'none' values lack quotes

Question

'self' and 'none' values lack quotes

DougReeder opened this issue 4 months ago · comments

To reproduce:

Set helmet with a CSP:

app.use(helmet({contentSecurityPolicy: {
    directives: {
      sandbox: ['allow-scripts', 'allow-forms', 'allow-popups', 'allow-same-origin'],
      defaultSrc: ['self'],
      childSrc: ['none'],
      connectSrc: ['none'],
      baseUri: ['self'],
      frameAncestors: ['none'],
    },
  }}));

Expected result:

All pages have CSP header with ... default-src 'self'; child-src 'none'...

Actual result

All pages have CSP header with ... default-src self; child-src none...
which are interpreted by Firefox as origins named "self" and "none". Thus, the actual CSP is not what is intended.

Evan Hahn · Answer 1 · Thu Feb 22 2024 21:33:11 GMT+0800 (China Standard Time)

In the short term:

You need to quote these values yourself. For example, defaultSrc: ["'self'"].

In the long term:

It seems reasonable that Helmet would do this for you, as it's unlikely that users intend to use self/none as origins. I'll think about whether this is a better API in future versions. Feedback welcome!

Kevin Van Lierde · Answer 2 · Wed Apr 24 2024 19:19:03 GMT+0800 (China Standard Time)

Also encountered:

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      'script-src': [`'self'`, `'sha256-${serviceWorkerHash.digest('base64')}'`]
    }
  }
}))

Our current CSP:

script-src  'self'  'sha256-dJ+NYptz3LoT6dbm1JzANoJYN4KGvIEG7mmjqsW9l0Q=';default-src  'self';base-uri 'self';font-src 'self' https: data:;form-action  'self';frame-ancestors 'self';img-src 'self' data:;object-src  'none';script-src-attr 'none';style-src 'self' https:  'unsafe-inline';upgrade-insecure-requests

Of course this will be a semver-major change unless code is added to wrap the values only if no quote is present and only on the fixed values of "self" and "none". What is the use case for not auto-adding quotes to these? Don't understand what is implied here:

it's unlikely that users intend to use self/none as origins

Evan Hahn · Answer 3 · Wed Apr 24 2024 20:21:40 GMT+0800 (China Standard Time)

It's theoretically possible that someone wants to specify self or none without quotes. They could have configured one of these as an origin (likely some weird company intranet thing) and deliberately want to allow something like https://self/foo.js.

However, I think this is so unlikely that Helmet doesn't need to support it. My plan:

In the current version of Helmet, warn when you try to do this.
In the next version of Helmet, ~~auto-quote "self" and "none"~~ throw when you try to do this.

Evan Hahn · Answer 4 · Sun Apr 28 2024 01:15:52 GMT+0800 (China Standard Time)

This was done in Helmet v7 (the current version) in 6475da1, and for Helmet v8 (the next version) in 7b94a6c.