CSP resurfaces !

[ajoo]

Hi all !

 

My code works fine in xampp but porting to a VM and running it there gave rise to some CSP related errors. I resolved those related to my php files but the following two are being given off by the recaptcha_en.js.

 

 

recaptcha__en.js:163

 

[Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-Abcdefgh+ijklmno1234567klmnhoprsto='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

 

recaptcha__en.js:362

 

[Report Only] Refused to frame 'https://www.google.com/recaptcha/api2/anchor?k=6BenismorethanlesswasMorethanBenzzzzzzZ…Znxnxnxnxnxnxnnxnxnxnxnx&hl=en&v=r201600223344&size=normal&cb=7nmxm3456sd4gnh' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

 

Besides the recpatcha displays : 

 

 

 

ERROR for site owner:
Invalid domain for site key

 

How may I resolve these ? 

 

Surprisingly, I still do not get even a single CSP error in XAMPP. Same code.

 

Thanks all !

[Jacques1]

Surprisingly, I still do not get even a single CSP error in XAMPP. Same code.

 

I doubt that. The first two errors have nothing to do with VMs, they're simply the consequence of not whitelisting the reCAPTCHA inline styles and frame as explained in the documentation. You actually have no frame-src or style-src at all.

 

The last error comes from the fact that the application in the VM runs under a different domain. You need to add that domain to your site key.

[ajoo]

Hi Guru Jacques !! 

 

Thanks for the reply, I'll make the changes and revert. Amazing that I could not find the same page that you have provided a link to !

 

Thanks loads !

[ajoo]

Hi Guru Jacques, 

 

I have added the nonce as follows:

header("Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'nonce-$nonce'; script-src 'self' https://...");
 

and in the script as 

<script nonce="$nonce" src="https://www.google.com/recaptcha/api.js"></script> 

and I get almost 8 instances of this error below:

 

 

 

 

recaptcha__en.js:122 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-bc36fe9e946f09c4e2fe149ee17a0619'". Either the 'unsafe-inline' keyword, a hash ('sha256-MammJ3J+TGIHdHxYsGLjD6DzRU0ZmxXKZ2DvTePAF0o='), or a nonce ('nonce-...') is required to enable inline execution.

 

I don't know what I am doing wrong or what the problem is now. Please help. 

 

Thanks loads !

[Jacques1]

Are you sure you're actually inserting the variable $nonce into the nonce attribute rather than a literal dollar sign followed by the word “nonce”? Have you checked the resulting page source in the browser?

 

The only way your <script> code snippet could make sense if it's in a heredoc. And I doubt that. I would expect something like

<!-- in an HTML context -->
<script src="..." nonce="<?= html_escape($nonce) ?>"></script>

or

// in a PHP context
echo '<script src="..." nonce="'.html_escape($nonce).'"></script>';

[ajoo]

Ofcourse you are right !! 

 

The nonce was blank when I checked. I checked all else except the nonce value since I wrongly assumed that it would be generated correct   ! 

 

However, even with that rectified, the output still gives those same errors. Besides, it also  gives some errors due to frame-src ( were present earlier as well) as can be seen in the attached pic. 

 

 

 

Please point where am i erring now? Thanks loads !!

 

P.S.  I would also like to ask if I should also use the html_escape function on the $nonce value in the CSP header ?! Thanks!

[ajoo]

Hi ! 

 

Another questions.  I read that frame-src is deprecated. What should be used in it's place as recaptcha uses and generates frames somewhere in its code library? 

 

Thanks.

Edited April 11, 2017 by ajoo

[Jacques1]

The errors come from the fact that you still haven't whitelisted the frames and inline styles as I said in #2.

 

frame-src is not deprecated. It was shortly replaced with child-src in CSP Level 2, but CSP Level 3 has reverted this change.

 

 

 

P.S.  I would also like to ask if I should also use the html_escape function on the $nonce value in the CSP header ?!

 

An HTTP header is not HTML, so HTML-escaping won't help. You have to perform escaping/validation for the specific context, in this case a nonce source. Nonce sources are supposed to be Base64-encoded, so an appropriate check would be

const BASE64_PATTERN = '~\\A[a-z\\d+/_-]+={0,2}\\z~i';

if (!preg_match(BASE64_PATTERN, $nonce))
{
    // error
    exit;
}

However, if the code for generating the nonce actually uses Base64-encoding and is close to the header() call, you don't need the extra validation.

[ajoo]

hmmm white-listing has removed the frame-src error but it still does not get rid of this below error :

 

 

[Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-51a7d1bf9eb428b150725657a1533119' 'unsafe-inline'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

 

Here's the CSP header in case I am still making a mistake in it:

 

header("Content-Security-Policy-Report-Only: default-src 'self'; style-src 'self' 'nonce-$nonce' 'unsafe-inline'; frame-src https://www.google.com/recaptcha/; script-src 'self' https://www.google.com/recaptcha/ https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/ https://www.gstatic.com/recaptcha/; report-uri https://franchisee/reports/reportcspviolation.php");

 

Thanks loads !

[ajoo]

Hi ! 

 

Could this be just a chrome specific issue as suggested by the replies  to similar questions in the links below :

 

https://groups.google.com/forum/#!topic/recaptcha/g7u3dSRnheQ

http://stack1.ocim.top/39853162/recaptcha-with-content-security-policy.html

 

I do not get the errors in Firefox which, instead, reports a warning I guess as follows:

 

Content Security Policy: Directive 'frame-src' has been deprecated. Please use directive 'child-src' instead.

 

Thanks !

Edited April 12, 2017 by ajoo

[ajoo]

Hi Guru Jacques, 

 

Any further inputs on this ? Are my observations correct ? Am i still erring somewhere? If not, then how to deal with errors on chrome?

 

Await your response, 

 

Thanks loads !

[Jacques1]

Your CSP rules don't make sense. Just copy and paste the three lines from the Google documentation. It's really that simple.

 

If you like nonces, then use the nonce as the script-src, nothing else. You cannot simultaneously allow unsafe styles and disallow them through a nonce source.

[ajoo]

Hi Guru Jacques,  

 

Thanks for the reply, 

 

'unsafe-inline' rids of the errors in chrome. The warning in firefox will probably be removed soon or maybe my version needs an upgrade. The only question that still remains in my mind is that how safe is 'unsafe-inline' in style-src. Is it there to simply to suppress the errors that it appears to removes or is it actually safe, contrary to its name?

 

 

 

 

If you like nonces, then use the nonce as the script-src, nothing else .   

 

    

I have removed the nonce. I thought the nonce was needed in style-src since the generated errors were errors due to style-src and frane-src, and the frame source was removed by an allowed URL. 

 

Thanks loads !

[Jacques1]

The warning in firefox will probably be removed soon or maybe my version needs an upgrade.

 

Like I said, the deprecation warning is irrelevant. CSP is a fairly new feature which is constantly being improved, and browser vendors cannot always implement the latest version. So a few issues here and there are to be expected.

 

 

 

The only question that still remains in my mind is that how safe is 'unsafe-inline' in style-src. Is it there to simply to suppress the errors that it appears to removes or is it actually safe, contrary to its name?

 

There are a few CSS-related attacks, but they mosty apply to old browsers.

 

Of course the best way would be to avoid 'unsafe-inline' all together. But reCAPTCHA doesn't support that right now, and there isn't much we can do about it. So you have no choice but to relax the policy on the pages which use reCAPTCHA (you should still use strict policies everywhere else).

[ajoo]

Thanks very much Guru Jacques !!