javahtmlcontent-security-policynonce

Nonce not working in browser even though it is set in policy and script

The nonce doesn't seem to work anywhere. Currently we cut out everything that could make problems, since of course it should be generated, but now it is just static for testing purposes.

Our content policy is defined in our filter:

@Component
public class CSPFilter extends OncePerRequestFilter {

    @Override
    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {

        HttpServletResponse httpResponse = (HttpServletResponse) response;

        SecureRandom random = new SecureRandom();

        byte[] nonceBytes = new byte[16];

        random.nextBytes(nonceBytes);

        String nonce = Base64.getEncoder().encodeToString(nonceBytes);
        nonce = "static";

        String policy = "default-src 'self'; script-src 'self' 'nonce-" + nonce + "'  img-src 'self'; object-src 'none';";

        var oldHeader = httpResponse.getHeader("Content-Security-Policy");
        if (oldHeader!=null) {
            oldHeader = oldHeader + " " + policy;
            httpResponse.setHeader("Content-Security-Policy", oldHeader);
        }
        else
            httpResponse.setHeader("Content-Security-Policy", policy);

        request.setAttribute("nonce", nonce);

        filterChain.doFilter(request, response);
    }
}

and the html looks like this:

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
<!DOCTYPE html>
<head>
    <title>Login to ToDo Roo</title>
    <link th:href="@{/main.css}" rel="stylesheet"/>
</head>
<body  nonce="static" class="todoroo-body" onload="test()3">
<script language="text/javascript" nonce="static">function test3(){console.log("this should work")}</script>
<script>function test(){console.log("this shouldn't work")}</script>
<h2 th:nonce="${nonce}" th:text="${nonce}" align="center"></h2>

</body>
</html>

yet all browsers state something like this:

Content-Security-Policy: The page’s settings blocked an event handler (script-src-attr) from being executed because it violates the following directive: “script-src 'self' 'nonce-static' http://img-src 'self'” Source: test()3

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self' 'nonce-static' http://img-src 'self'”

We tried multiple solutions, even putting the content policy into a meta tag and loading the site by drag and drop into the browser. We tried multiple policy options like "unsafe-hashes" or the like to no avail.

Solution

  • The problem is that you use a script attribute with an inline event handler 'onload="test()3"' (or 'onload="test3()"'). Script attributes are not nonceable elements. You should add this with an event listeners instead, or add its hash and 'unsafe-hashes' to script-src.