Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not add signatures if unsafe-inline is enabled #335

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

fritzmg
Copy link
Contributor

@fritzmg fritzmg commented Jan 22, 2024

Currently signatures are explicitly still added, even if unsafe-inline was already present in the script-src or style-src directive. However, if your application adds a lot of hashes (for style="…" for example) and you decide to instead allow unsafe-inline in general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for example

This PR would automatically not apply any signatures, if unsafe-inline was enabled.

wdyt?

Comment on lines +143 to +145
// Do not add any signatures if 'unsafe-inline' is allowed anyway
} elseif (false !== strpos($value, '\'unsafe-inline\'')) {
$policy[] = $name.' '.$value;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is risky IMO, because if you use signatures then unsafe-inline will be ignored by modern browsers supporting CSP2. It's merely there as a fallback.

Now with your change suddenly having unsafe-inline in an existing config would silently break/remove signatures.

I think the more appropriate way is to disable the hash functionality if you are not interested in outputting hashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants