Subresource Integrity and CSP strict-dynamic hashes for SSG

[vejja]

Hi @Baroshem

I am planning to propose a PR introducing SRI (sub resource integrity) injection.
This will also allow support of CSP 'strict-dynamic' policy for SSG.
I still have a few things to finalize but I already did the bulk of the work.

Can you please have a look at my wip code at : https://github.com/vejja/nuxt-security ?
It would be very helpful to have your feedback on my fork before issuing the final PR.
Many thanks

[Baroshem]

Hey buddy! This is an amazing feature idea!

I really like it and I totally think this could be part of the module itself.

I looked at the code and in general I have only one comment so far.

I will be releasing quite a big new version in the next few days (1.0.0-rc.1) and there, few things have changed.

Most importantly, I have introduced a new configuration property object called ssg. For now, it includes only the hashScripts boolean property but I think that it could benefit from your functionality (especially that it is aimed for SSG apps). You can check the link below.

It would be a good idea to start your feature request from this branch or from main after wednesday as this will be a new develooment branch.

[Baroshem]

https://github.com/Baroshem/nuxt-security/blob/chore/1.0.0-rc.1/src/types/index.ts

[vejja]

Ok, I will definitely re-fork from rc.1
A couple of comments from my side

1 - On how I designed the SRI feature:

• SRI is available both for SSR and SSG. In both modes the integrity="sha..." elements are injected in the <head> section
• SRI is provided for all scripts and stylesheets that appear in the <head> section
• SRI hashes are injected in all <link> and bare <script> tags
• SRI hashes are not duplicated if they were already present in the tags. This can happen if the user had already provided integrity hashes via the head option in its Nuxt config. Typically when Bootstrap or Tailwind sources from CDN are included in head

2 - On how I designed the CSP complementary feature:

• Basically it's copied from your existing cspSsg nitro plugin
• Hashes are not injected when running in SSR mode, because I believe the nonce approach is much better in the SSR case
• However for SSG, integrity hashes of external scripts are added to the <meta> tag, exactly where your cspSsg plugin already injects the inline script hashes
• This means that only the 'script-src' CSP policy is supported. In other words, stylesheets hashes are not added to the 'style-src' CSP policy. At least in the current version, but I think this is largely sufficient for now.

As a result, I would think
1- that the ssg option in the module config is unnecessary. The module already acts differently whether the user is doing nuxi generate or nuxi build
2- that the nonce option in the module config is also unnecessary. If the 'nonce-{{nonce}}' keyword is present in the 'script-src' entry of the contentSecurityPolicy header option, this means that nonces must be generated.
3- By the way I think we need to fix a security issue in the module itself : If the nonce option is set to true and SSG generation is used, an immutable nonce value is hard-coded into each html page. An attacker could easily extract this value and re-use it.
4- As a result we should IMO enforce the following logic (simple but safe):

• If mode is SSR: use nonces
• If mode is SSG: use hashes

What I'm trying to say, is that it should be the responsibility of the module to handle SSR vs SSG, and it would be preferable not to give the user the possibility to mess up with this via options.
Happy to hear your thoughts

[Baroshem]

Really interesting discovery. I would like to invite @trijpstra-fourlights into this discussion as he was developing nonce and he may have some interesting comments as well :)

Great to see such traffic and cool ideas to improve this project 💚

[trijpstra-fourlights]

Yes, I agree with this.

I thought I did state this in my original PR or even the docs, but I can't seem to find it so I must be mistaken.

The added security when using nonce comes from injecting a non-deterministic value for each request in both the headers as in the actual served html, which the browser can then compare to determine if a resource should be loaded. So using it on SSG makes absolutely no sense from a security perspective.

Thanks a lot for improving this!

Please note that the nonce value is also valid in other csp attributes (i.e. not only script-src) so if you go the implicitly enabled route, you'll have to make sure you test all relevant attributes for it's existence.

Personally I would keep it explicit, as that feels more in line with how the rest of nuxt-security is configured. Or at least deprecate it for a few releases.

On the other hand, the feature is pretty new still so maybe ripping of the bandaid now while it's still relatively fresh is preferable.

[trijpstra-fourlights]

Ah, I only mentioned the nonce and SSG incompatibility in this thread: #178 (comment)

[vejja]

Just want to give a quick update here based on rc1.

The security issue is partially resolved in rc1, because now the nonce option is typed as NonceOptions | false, meaning effectively that it cannot have the value true. So this addresses in some way the issue.

However please note that this is only a TypeScript check based on the type definition. In other words, we are relying on people to follow the instructions of their linter (assuming they did set it up properly). If they don't, the hole is still open.

In order to separate concerns properly, I will make a first PR aiming at improving the TypeScript config in the repo, as we have several type mismatches and imports misconfigured, and I believe it will help spotting these issues.
Best

[Baroshem]

Sounds awesome. Please create this PR.

Depending on when you will do it I will either release it with rc.1 or rc.2 as I want to release Rc.1 on wednesday (during Nuxt Nation 😉)

[vejja]

I'm trying to get my head around pure-SSR/SSR+routes preredenring/pure-SSG/SSG+pre-rendering here.
Can you explain what is the purpose of NonceOptions mode: renew vs mode:check ?

[Baroshem]

@trijpstra-fourlights You will be the best person to answer :)

[trijpstra-fourlights]

If you're serving assets from a nuxt api route, e.g. proxying from external service, you want nitro to not replace the current nonce, but still add it in the header. Because it's a new request from nitros perspective you in these advanced use cases need control over this.

Mode:check does that, where mode: renew (the default) changes the nonce value.

It's in the docs as well, albeit sparsely. As I said it's an advanced use case that most will not need, hence the default value being mode renew for all routes.

[vejja]

Ok I can see the use case now, thanks
Looks like you are extracting the external server's nonce from either event.context or a nonce cookie.
How do you know these variables are set by the external server ?

[trijpstra-fourlights]

No that's not correct. The aforementioned hypothetical external service has nothing to do with the nonce or csp. It's essentially out of our control for the sake of argument. The nonce is set by the nuxt server, and is persisted using a cookie with same site and secure. This allows the `useNonce` composable to access the current nonce value in the frontend and allows nitro to reuse it (again, only in these advanced use cases of mode:check) when applicable. Within the same request, nitro/the nuxt server can access the h3 event context which is a tiny bit quicker than using the cookie. This is how SSR works with Nuxt. It's not applicable for SSG as nonce values add no security benefit in a static context. To better explain (one of the) potential advanced use cases: Imagine an api backend which exposes an endpoint which returns a runtime generated stylesheet which you want to include on your app, while keeping strict csp in place. Using a Nuxt api route to proxy this runtime generated endpoint allows you to do that, while also not exposing the underlying api to the frontend. I use this succesfully in production similarly to this example. Op do 19 okt 2023 10:10 schreef vejja ***@***.***>:

…

Ok I can see the use case now, thanks Looks like you are extracting the external server's nonce from either event.context or a nonce cookie. How do you know these variables are set by the external server ? — Reply to this email directly, view it on GitHub <#241 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A25JEPRVEP45ZPHUTR6P6B3YADOANAVCNFSM6AAAAAA6ALXWFSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TGMRTHAZDC> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[trijpstra-fourlights]

Sure, but let's do it the other way around.

Can you make a stackblitz or similar with the exact set-up where you've verified it's working without mode: check?
I'll be more than happy to look at that then and see where our disconnect is coming from.

Thanks in advance!

[trijpstra-fourlights]

I've checked locally and I think I see where the disconnect is coming from.

First of, you are correct in that using the test case in the playground will not cause CSP error. Furthermore the browser doesn't seem to care about the returned CSP headers for subsequent resources, and only matches it against the original headers. So you're correct in that as well. I was wrong in that and my explanation on the need for mode: check is therefore not correct.

Still, the mode: check is most certainly valid. It's just that this test case doesn't trigger the actual problem.

Let's see if I can explain what's happening:

When disabling the mode: check, take note of the returned header and cookie set for both the initial request / and the api resource /api/generated-script.

As you can see, the api request has a different CSP nonce and has updated the cookie accordingly.

When using mode: check the nonce is the same for both requests.

Now, this is where I was surprised that it's not throwing a CSP error because apparently the browser only cares about the original CSP header being matched to the nonce value.

However, this mode: check is still needed for advance use-cases, as without it the nonce value is changing for each dynamic resource (e.g. /api/generated-script) and subsequent calls to useNonce will in fact have an incorrect nonce value.

For example, when you want to inject resources from javascript at runtime, you'll have to supply the nonce value (using the useNonce composable) otherwise it won't work in a strict CSP. Without mode: check this nonce value will be incorrect because it's overwritten by the call to /api/generated-script.

I'll create a reproduction to show this behavior and so that you can test it as well.
Feel free to do that yourself. I'm done with this.

[vejja]

Well TBH I have higher-level security concerns about this approach.
But before voicing them I do want to understand in detail what we are trying to cover.

[trijpstra-fourlights]

Oh, a cliffhanger. Lovely!

You know what, feel free to submit a PR removing whatever you feel fit. I don't care, it's not my module.

I created the initial nonce implementation, if you feel it's not secure, then be my guest and improve upon it. Or remove it or whatever.

If it breaks my code I'll make sure to create an issue for it.

[vejja]

Ok, I'll write a summary report below for people to reflect and give their feedback

[vejja]

CSP nonce implementation

I wanted to reflect upon the discussion related to the implementation of CSP nonces.
With all due respect for the work that has been done, I do think we need to strengthen this up for a production-grade security module.

In a nutshell, it is currently possible to entirely bypass CSP.

1. Server-side generated CSP nonces are currently transmitted to the browser via cookie
2. The browser can then ask the server to re-use these nonces in a later request
3. This is designed to allow unverified scripts to run in the browser

Security Analysis

• As a general note, it is an anti-pattern to store nonces client-side. Browsers are specifically designed to hide nonces, and should generally never have to extract them.
• In addition, CSP mandates that a server should always regenerate nonces with a cryptographically secure random algorithm. Forcing the server to re-use previously generated nonces is a violation of CSP.
• Transferring nonces via cookies, even with same-site and secure attributes, is a security breach. It is very easy for an attacker to forge a cookie and then force the server to use a forged nonce.
• Moreover, providing a useNonce composable in the frontend is equivalent to give the attacker a ready-to-use attack vector with an easy way to forge nonces server-side.

I do understand the use case where the user needs to generate scripts on the fly. However a strict CSP does not prevent this. CSP only ensures that you have identified the script and have authorized it explicitely via nonce.

In summary, the current implementation does not enforce CSP, but allows to bypass CSP.

Proposed modifications

As a result, I would like to propose the following critical modifications:

1. remove the useNonce composable
2. stop saving nonces in cookies
3. remove all server-side code that reads and uses cookies
4. remove the NonceOptions that allows to bypass random nonce generation

This will allow the module to become CSP-compliant.
Happy to hear your thoughts

[trijpstra-fourlights]

These are pretty strong points and should IMO indeed mandate action if they hold true.

Can you show how an attacker can bypass the CSP in this way?

As far as I can tell, nuxt-security allows the developer to specify a specific mode on a predefined route. This is an explicit action by the developer, which can be used in advanced cases (not relevant for this discussion). I don't see how an attacker can exploit this, but I'm very interested to see how.

Same applies to your claim that it's very easy to forge cookies, and thus to force the server to use a forged nonce. Can you show a POC for this?

Similarly "Moreover, providing a useNonce composable in the frontend is equivalent to give the attacker a ready-to-use attack vector with an easy way to forge nonces server-side." -> can you show us how?

[trijpstra-fourlights]

Additionally I'd like to point out that removing the useNonce composable will severly impact the usage of the nuxt ecosystem with a strict CSP.

Most notably, NuxtImage will not work (see #239), but any module that does injection into the DOM will have a bad time.

Furthermore, similar discussions in for example next.js show the real-world need for accessing the nonce value in the front-end. Various solutions to this problem are suggested, but they essentially all boil down to exposing the nonce value to the front-end in some way.

Interestingly, I think this should not imply a security risk, as accessing this will require the attacker to be able to execute arbitrary code, which is not possible when using a strict CSP.

From a real-world scenario, I have several third-party scripts that I'm required to inject due to business requirements (think analytics, usabila, etc.). These scripts are not static and often change. Without any of the current features in place, there is no way to use a strict CSP and have these scripts working. Thus the only way when removing the mentioned features will be to allow unsafe-inline which in turn is a much bigger security risk than using the explicit opt-in feature of changing the nonce mode for certain routes. Essentially in that way I'm showing the browser that I trust these third party scripts, but I don't know what's in them. The alternative to this would be to use a sha-hash, but that would require me to update the code any time there is a change to these scripts. In most scenarios, that's not a solution.

All in all, I think that nuxt-security should use secure and best-practice defaults, but not limit the developer of overriding these when they see fit. I'm absolutely convinced that how I use this in production is more secure than not using a strict CSP.

Finally it should be noted that using a strict CSP is not a final solution, and only one of the many best-practices that should be used as a line of defense against attackers.

That being said, I have a bad taste from this whole discussion and I"m refraining from adding to it anymore.
@Baroshem I trust that whatever you decide will be for the benefit of the module and it's users.

[Baroshem]

Guys, I really dont like where this discussion went.

We started from sharing opinions about this topic to a point where we are trying to convince each other that the other person is wrong.

And this is the last thing that I would like to see here as I really value how both of you have contributed to this discussion and the module in general.

The changes @vejja is proposing are extremely destructive (especially considering the fact that yesterday I have released a version that is supposed to be stable and only include bug fixes not breaking changes). I appreciate your work here Vejja but even from the maintainer perspective I cannot agree to do these changes even if we could all agree that they are necessary. Users are expecting stability right now. I understand your concerns but as @trijpstra-fourlights suggested, it would be useful to see some examples why the current solution is wrong. Since the release of current implementation of nonce, there were several people who have tried it, asked questions and got responses usually from @trijpstra-fourlights (thanks for that!). And not to mention @trijpstra-fourlights himself who is using this solution as he mentioned. So I think that the current solution is not bad.

@vejja is there maybe a way to address your concerns in a form of a documentation section rather than removing functionality that is already there?

I think this solution would be the best right now considering the recent release and this whole discussion.

And finally, please remember that both of you want to make this module better. I am really, really grateful for that. You just have different opinions and ideas and I will do my best to find the common path and let you both contribute in most appriopriate way possible.

[trijpstra-fourlights]

While I don't believe all the arguments made by @vejja hold true, I do believe we should be showing and not telling, i.e. let's work from POCs and move from there.

I'll try to find some time the coming days to show examples on when I believe you'll need the nonce value in the front-end.
If @vejja is willing to take a look at those and show how they can be adapted so that this is not needed, that would be great as well.

Unfortunately, it seems that stackblitz et al. are not suited to actively test this (due do them actively injecting the sandbox in the browser), so we'll have to work from full repo's on GitHub. I'll be sure to update this thread when I've got something to show.

That being said, I do believe that @vejja 's concern about exposing the nonce to the frontend by default has some merit.
The module should allow the developer to at least control if they want to expose the nonce through the cookie.

As that seems to be the major concern by @vejja, I'd like to, in the interest of the upcoming v1.0 release, propose the following:

• add a setting exposeNonceToFrontend (default: false)
• update nonce nitro plugin to only set and read the cookie when this is set
• update the documentation to explain the caveats for exposing the nonce to the frontend
• update useNonce() to log a warning if no cookie is set, link to documentation

@Baroshem would you be willing to change the default behavior for nonce before the v1.0 release?

I'll start work on this PR so that we can at least move forward.

[Baroshem]

The solution proposed by @trijpstra-fourlights is much more in line with what I would like to achieve as a maintainer.

Modifying the existing interface instead of removing functionality is what I would like recommend.

I do believe there is a way to achieve what @vejja is recommending without removing functionality and causinng breaking changes for our users and I think that the solution shown by @trijpstra-fourlights can do this thing.

I am up for doing such changes for the upcoming release candidate versions and eventually the stable 1.0.0 version.

[trijpstra-fourlights]

While working on the proposed PR, I've come to the conclusion that @vejja was completely right in his criticism and analysis and I completely wrong.

My sincere apologies to you @vejja for not exploring your findings more thorough until now.

I've created a PR which implements your proposed fixes. As to impact, I concur with @vejja 's observations that not many people will be using these so-called "advance features".

And if they are, they should be actively resolving them.

PR: #256

[vejja]

Ok, roadmap here looks good to me and I'll contribute as set out.
The bottom line that we have to keep in mind here is simple :
Setting up a nonce deterministically on the server is a breach of CSP
As long as we don't allow this, I'm fine

[vejja]

@trijpstra-fourlights Please do not apologize, you did an absolutely amazing job and you deserve full credit for it.

[vejja]

I do have a POC now with a stackblitz here

Update: You can also now test the POC live on Vercel here: https://nuxt-security-sraffray.vercel.app/

This is based on https://github.com/vejja/nuxt-security/tree/poc/strict-csp-nocookie

The POC shows that you can load external scripts and stylesheets, and inject inline scripts and stylesheets with strict CSP
No cookie or server-side override of the nonce are required

[vejja]

@Baroshem I think that based on this POC we can now close this discussion.
I will submit a PR along the lines of the fix/csp-nonce-cookie branch

[Baroshem]

@vejja ok, I will close it then. Thanks for everything.