Fossil SCM
Added bullet list detailing the sources for <script nonce=""> from a Fossil server and the reasons we consider each path safe.
Commit
91377ae432ed02fae89428a03e3589d40cb5bc1ab333a22f927d052399d91da2
Parent
092eeebf40d66bf…
1 file changed
+42
-16
+42
-16
| --- www/defcsp.md | ||
| +++ www/defcsp.md | ||
| @@ -140,22 +140,49 @@ | ||
| 140 | 140 | individual pages. |
| 141 | 141 | |
| 142 | 142 | |
| 143 | 143 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 144 | 144 | |
| 145 | -This policy disables in-line javascript and only allows `<script>` | |
| 146 | -elements if the `<script>` includes a `nonce=` attribute the | |
| 147 | -matches the %s section of the CSP. Fossil provides a different | |
| 148 | -random nonce for every page it generates, and since an attacker has | |
| 149 | -no way of predicting what that nonce will be, the attacker is unable | |
| 150 | -to inject working javascript. | |
| 151 | - | |
| 152 | -For documents generated by the [CGI extensions][ext], the | |
| 153 | -value of the nonce is accessible in the FOSSIL_NONCE environment variable. | |
| 154 | -TH1 scripts that run while generating the header or footer can access | |
| 155 | -the nonce in the $nonce variable. The JavaScript section of a | |
| 156 | -[custom skin][cs] automatically includes the appropriate nonce. | |
| 145 | +This policy disables in-line JavaScript and only allows `<script>` | |
| 146 | +elements if the `<script>` includes a `nonce` attribute that matches the | |
| 147 | +one declared by the CSP. That nonce is a large random number, unique for | |
| 148 | +each HTTP page generated by Fossil, so an attacker cannot guess the | |
| 149 | +value, so the browser will ignore an attacker’s injected JavaScript. | |
| 150 | + | |
| 151 | +That nonce can only come from one of three sources, all of which should | |
| 152 | +be protected at the system administration level on the Fossil server: | |
| 153 | + | |
| 154 | +* **Fossil server C code:** All code paths in Fossil that emit | |
| 155 | + `<script>` elements include the `nonce` attribute. There are several | |
| 156 | + cases, such as the “JavaScript” section of a [custom skin][cs]. | |
| 157 | + That text is currently inserted into each HTML page generated by | |
| 158 | + Fossil,¹ which means it needs to include a `nonce` attribute to | |
| 159 | + allow it to run under this default CSP. We consider JavaScript | |
| 160 | + emitted via these paths to be safe because it’s audited by the | |
| 161 | + Fossil developers. We assume that you got your Fossil server’s code | |
| 162 | + from a trustworthy source and that an attacker cannot replace your | |
| 163 | + Fossil server binary. | |
| 164 | + | |
| 165 | +* **TH1 code:** The Fossil TH1 interpreter pre-defines the [`$nonce` | |
| 166 | + variable](./th1.md#nonce) for use in [custom skins][cs]. For | |
| 167 | + example, some of the stock skins that ship with Fossil include a | |
| 168 | + wall clock feature up in the corner that updates once a minute. | |
| 169 | + These paths are safe in the default Fossil configuration because | |
| 170 | + only the [all-powerful Setup user][su] can write TH1 code that | |
| 171 | + executes in the server’s running context. | |
| 172 | + | |
| 173 | + There is, however, [a default-disabled path](#xss) to beware of, | |
| 174 | + covered in the next section. | |
| 175 | + | |
| 176 | +* **[CGI server extensions][ext]:** Fossil exports the nonce to the | |
| 177 | + CGI in the `FOSSIL_NONCE` environment variable, which it can then | |
| 178 | + use in `<script>` elements it generates. Because these extensions | |
| 179 | + can only be installed by the Fossil server’s system administrator, | |
| 180 | + this path is also considered safe. | |
| 181 | + | |
| 182 | +[su]: ./admin-v-setup.md | |
| 183 | + | |
| 157 | 184 | |
| 158 | 185 | #### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities |
| 159 | 186 | |
| 160 | 187 | We’re so restrictive about how we treat JavaScript because it can lead |
| 161 | 188 | to difficult-to-avoid scripting attacks. If we used the same CSP for |
| @@ -286,13 +313,13 @@ | ||
| 286 | 313 | ------------ |
| 287 | 314 | |
| 288 | 315 | |
| 289 | 316 | **Asides and Digressions:** |
| 290 | 317 | |
| 291 | -1. There is actually a third context that can correctly insert this | |
| 292 | - nonce attribute: [a CGI server extension][ext], by use of | |
| 293 | - the `FOSSIL_NONCE` variable sent to the CGI by Fossil. | |
| 318 | +1. Fossil might someday switch to serving the “JavaScript” section of a | |
| 319 | + custom skin as a virtual text file, allowing it to be cached by the | |
| 320 | + browser, reducing page load times. | |
| 294 | 321 | |
| 295 | 322 | 2. The stock Bootstrap skin does actually include a `<head>` tag, but |
| 296 | 323 | from Fossil 2.7 through Fossil 2.9, it just repeated the same CSP |
| 297 | 324 | text that Fossil’s C code inserts into the HTML header for all other |
| 298 | 325 | stock skins. With Fossil 2.10, the stock Bootstrap skin uses |
| @@ -301,6 +328,5 @@ | ||
| 301 | 328 | |
| 302 | 329 | [cs]: ./customskin.md |
| 303 | 330 | [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP |
| 304 | 331 | [de]: https://dopiaza.org/tools/datauri/index.php |
| 305 | 332 | [xss]: https://en.wikipedia.org/wiki/Cross-site_scripting |
| 306 | -[xssci]: https://fossil-scm.org/forum/forumpost/e7c386b21f | |
| 307 | 333 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -140,22 +140,49 @@ | |
| 140 | individual pages. |
| 141 | |
| 142 | |
| 143 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 144 | |
| 145 | This policy disables in-line javascript and only allows `<script>` |
| 146 | elements if the `<script>` includes a `nonce=` attribute the |
| 147 | matches the %s section of the CSP. Fossil provides a different |
| 148 | random nonce for every page it generates, and since an attacker has |
| 149 | no way of predicting what that nonce will be, the attacker is unable |
| 150 | to inject working javascript. |
| 151 | |
| 152 | For documents generated by the [CGI extensions][ext], the |
| 153 | value of the nonce is accessible in the FOSSIL_NONCE environment variable. |
| 154 | TH1 scripts that run while generating the header or footer can access |
| 155 | the nonce in the $nonce variable. The JavaScript section of a |
| 156 | [custom skin][cs] automatically includes the appropriate nonce. |
| 157 | |
| 158 | #### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities |
| 159 | |
| 160 | We’re so restrictive about how we treat JavaScript because it can lead |
| 161 | to difficult-to-avoid scripting attacks. If we used the same CSP for |
| @@ -286,13 +313,13 @@ | |
| 286 | ------------ |
| 287 | |
| 288 | |
| 289 | **Asides and Digressions:** |
| 290 | |
| 291 | 1. There is actually a third context that can correctly insert this |
| 292 | nonce attribute: [a CGI server extension][ext], by use of |
| 293 | the `FOSSIL_NONCE` variable sent to the CGI by Fossil. |
| 294 | |
| 295 | 2. The stock Bootstrap skin does actually include a `<head>` tag, but |
| 296 | from Fossil 2.7 through Fossil 2.9, it just repeated the same CSP |
| 297 | text that Fossil’s C code inserts into the HTML header for all other |
| 298 | stock skins. With Fossil 2.10, the stock Bootstrap skin uses |
| @@ -301,6 +328,5 @@ | |
| 301 | |
| 302 | [cs]: ./customskin.md |
| 303 | [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP |
| 304 | [de]: https://dopiaza.org/tools/datauri/index.php |
| 305 | [xss]: https://en.wikipedia.org/wiki/Cross-site_scripting |
| 306 | [xssci]: https://fossil-scm.org/forum/forumpost/e7c386b21f |
| 307 |
| --- www/defcsp.md | |
| +++ www/defcsp.md | |
| @@ -140,22 +140,49 @@ | |
| 140 | individual pages. |
| 141 | |
| 142 | |
| 143 | ### <a name="script"></a> script-src 'self' 'nonce-%s' |
| 144 | |
| 145 | This policy disables in-line JavaScript and only allows `<script>` |
| 146 | elements if the `<script>` includes a `nonce` attribute that matches the |
| 147 | one declared by the CSP. That nonce is a large random number, unique for |
| 148 | each HTTP page generated by Fossil, so an attacker cannot guess the |
| 149 | value, so the browser will ignore an attacker’s injected JavaScript. |
| 150 | |
| 151 | That nonce can only come from one of three sources, all of which should |
| 152 | be protected at the system administration level on the Fossil server: |
| 153 | |
| 154 | * **Fossil server C code:** All code paths in Fossil that emit |
| 155 | `<script>` elements include the `nonce` attribute. There are several |
| 156 | cases, such as the “JavaScript” section of a [custom skin][cs]. |
| 157 | That text is currently inserted into each HTML page generated by |
| 158 | Fossil,¹ which means it needs to include a `nonce` attribute to |
| 159 | allow it to run under this default CSP. We consider JavaScript |
| 160 | emitted via these paths to be safe because it’s audited by the |
| 161 | Fossil developers. We assume that you got your Fossil server’s code |
| 162 | from a trustworthy source and that an attacker cannot replace your |
| 163 | Fossil server binary. |
| 164 | |
| 165 | * **TH1 code:** The Fossil TH1 interpreter pre-defines the [`$nonce` |
| 166 | variable](./th1.md#nonce) for use in [custom skins][cs]. For |
| 167 | example, some of the stock skins that ship with Fossil include a |
| 168 | wall clock feature up in the corner that updates once a minute. |
| 169 | These paths are safe in the default Fossil configuration because |
| 170 | only the [all-powerful Setup user][su] can write TH1 code that |
| 171 | executes in the server’s running context. |
| 172 | |
| 173 | There is, however, [a default-disabled path](#xss) to beware of, |
| 174 | covered in the next section. |
| 175 | |
| 176 | * **[CGI server extensions][ext]:** Fossil exports the nonce to the |
| 177 | CGI in the `FOSSIL_NONCE` environment variable, which it can then |
| 178 | use in `<script>` elements it generates. Because these extensions |
| 179 | can only be installed by the Fossil server’s system administrator, |
| 180 | this path is also considered safe. |
| 181 | |
| 182 | [su]: ./admin-v-setup.md |
| 183 | |
| 184 | |
| 185 | #### <a name="xss"></a>Cross-Site Scripting via Ordinary User Capabilities |
| 186 | |
| 187 | We’re so restrictive about how we treat JavaScript because it can lead |
| 188 | to difficult-to-avoid scripting attacks. If we used the same CSP for |
| @@ -286,13 +313,13 @@ | |
| 313 | ------------ |
| 314 | |
| 315 | |
| 316 | **Asides and Digressions:** |
| 317 | |
| 318 | 1. Fossil might someday switch to serving the “JavaScript” section of a |
| 319 | custom skin as a virtual text file, allowing it to be cached by the |
| 320 | browser, reducing page load times. |
| 321 | |
| 322 | 2. The stock Bootstrap skin does actually include a `<head>` tag, but |
| 323 | from Fossil 2.7 through Fossil 2.9, it just repeated the same CSP |
| 324 | text that Fossil’s C code inserts into the HTML header for all other |
| 325 | stock skins. With Fossil 2.10, the stock Bootstrap skin uses |
| @@ -301,6 +328,5 @@ | |
| 328 | |
| 329 | [cs]: ./customskin.md |
| 330 | [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP |
| 331 | [de]: https://dopiaza.org/tools/datauri/index.php |
| 332 | [xss]: https://en.wikipedia.org/wiki/Cross-site_scripting |
| 333 |