From c0d0c9ada2c7316b724d8b8c3a15a5544a1ada15 Mon Sep 17 00:00:00 2001 From: Ry0taK <49341894+Ry0taK@users.noreply.github.com> Date: Sat, 18 Mar 2023 02:15:36 +0000 Subject: [PATCH 1/2] WIP: Send nonce in CSP --- packages/backend/src/@types/fastify.d.ts | 9 +++++++++ .../backend/src/server/web/ClientServerService.ts | 11 ++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 packages/backend/src/@types/fastify.d.ts diff --git a/packages/backend/src/@types/fastify.d.ts b/packages/backend/src/@types/fastify.d.ts new file mode 100644 index 0000000000..83712cc6b6 --- /dev/null +++ b/packages/backend/src/@types/fastify.d.ts @@ -0,0 +1,9 @@ +import FastifyReply from "fastify"; + +declare module 'fastify' { + interface FastifyReply { + cspNonce: { + script: string + } + } +} diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index 94679c14ed..e347017960 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -1,5 +1,6 @@ import { dirname } from 'node:path'; import { fileURLToPath } from 'node:url'; +import { randomBytes } from 'node:crypto'; import { Inject, Injectable } from '@nestjs/common'; import { createBullBoard } from '@bull-board/api'; import { BullAdapter } from '@bull-board/api/bullAdapter.js'; @@ -174,12 +175,16 @@ export class ClientServerService { reply.header('X-Frame-Options', 'DENY'); // XSSが存在した場合に影響を軽減する - // (script-srcにunsafe-inline等を追加すると意味が無くなるので注意) + // (インラインスクリプトはreply.cspNonce内の値をnonce属性に設定することで使える) + const scriptNonce = randomBytes(16).toString('hex'); + reply.cspNonce = { + script: scriptNonce, + }; const csp = this.config.contentSecurityPolicy ?? 'script-src \'self\' ' + - 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/; ' + + 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/ {scriptNonce}; ' + 'base-uri \'self\'; object-src \'self\'; report-uri /csp-error'; - reply.header('Content-Security-Policy-Report-Only', csp); + reply.header('Content-Security-Policy-Report-Only', csp.replace('{scriptNonce}', `'nonce-${scriptNonce}'`)); done(); }); From c3659a4ca298d852ad638861e7337889d4eeecdf Mon Sep 17 00:00:00 2001 From: Ry0taK <49341894+Ry0taK@users.noreply.github.com> Date: Sat, 18 Mar 2023 02:42:05 +0000 Subject: [PATCH 2/2] Add worker-src --- packages/backend/src/server/web/ClientServerService.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index e347017960..761cf4ba70 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -183,6 +183,7 @@ export class ClientServerService { const csp = this.config.contentSecurityPolicy ?? 'script-src \'self\' ' + 'https://challenges.cloudflare.com https://hcaptcha.com https://*.hcaptcha.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/ {scriptNonce}; ' + + 'worker-src blob: \'self\'; ' + 'base-uri \'self\'; object-src \'self\'; report-uri /csp-error'; reply.header('Content-Security-Policy-Report-Only', csp.replace('{scriptNonce}', `'nonce-${scriptNonce}'`)); done();