CSP Nonce changes with page updates

Question

CSP Nonce changes with page updates

lleger opened this issue 3 years ago · comments

Environment

Make sure you are using the latest LiveView and Dashboard versions before continuing.
⚠️ I'm not using the latest because we have not yet upgraded to LiveView 0.16.

Elixir version (elixir -v): 1.11.0
Phoenix version (mix deps): 1.5.9
Phoenix LiveView version (mix deps): 0.15.7
Phoenix Dashboard version (mix deps): 0.4.0
Operating system: macOS
Browsers you attempted to reproduce this bug on (the more the merrier): Safari, Chrome, Firefox

Actual behavior

With CSP nonces configured, I'm still getting a CSP nonce error on page updates. The browser logs this error:

Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.

When the page first loads, there is no error. The error only happens when you click to another page. Here's repro steps:

http://localhost:4000/manage/dashboard/os_mon → loads fine
Click "Home" in top nav → styles broken and error logged
Refresh http://localhost:4000/manage/dashboard/home → loads fine

This is most obvious in the progress bars which use inline styles. When the CSP issues happen, the bars are collapsed.

After some debugging I think what's happening is that the page updates are causing new nonces to be created but the browser didn't make a new request, so the CSP header still has the old value. Illustration:

Expected behavior

With CSP nonces configured, no CSP errors are generated even across page updates.

José Valim · Answer 1 · Thu Sep 16 2021 00:20:31 GMT+0800 (China Standard Time)

Hi @lleger, please let me know once you upgrade to LiveView, because it changes how redirects across pages work and I think it will have addressed this issue. We also have a mix dev task that runs dev.exs, which has some CSP config for you to try out!

Logan Leger · Answer 2 · Thu Sep 16 2021 00:30:56 GMT+0800 (China Standard Time)

Got it, so CSP is broken in Dashboard 0.4.0 and you don't expect that'll be fixed? (I'm uncertain of our upgrade path to LiveView 0.16 since it seems like a lot of stuff changed.)

José Valim · Answer 3 · Thu Sep 16 2021 00:49:46 GMT+0800 (China Standard Time)

@lleger if you send a PR, i can gladly merge it and do a new release, but I wouldn't have time to focus on it.

About v0.16, a lot changed but the breaking changes are very minimal and only relates to changing live_session in your router. Everything else you can migrate at your own pace and take time.

Logan Leger · Answer 4 · Thu Sep 16 2021 00:55:20 GMT+0800 (China Standard Time)

@josevalim Understood, thank you Jose. I'll look at getting us upgraded sooner rather than later and see if that fixes the issue.

José Valim · Answer 5 · Sun Jan 30 2022 17:40:34 GMT+0800 (China Standard Time)

Closing this for now. If the issue persists, feel free to ping and report again. :)