Skip to content

Commit

Permalink
Remove img nonce (#460)
Browse files Browse the repository at this point in the history
  • Loading branch information
@josevalim
josevalim authored Dec 4, 2024
1 parent d284dab commit 149d23f
Show file tree
Hide file tree
Showing 9 changed files with 23 additions and 33 deletions.
12 changes: 7 additions & 5 deletions dev.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -480,7 +480,6 @@ defmodule DemoWeb.Router do
components: DemoWeb.GraphShowcasePage
],
csp_nonce_assign_key: %{
img: :img_csp_nonce,
style: :style_csp_nonce,
script: :script_csp_nonce
},
Expand All @@ -493,18 +492,21 @@ defmodule DemoWeb.Router do
)
end

defp nonce do
16 |> :crypto.strong_rand_bytes() |> Base.url_encode64(padding: false)
end

def put_csp(conn, _opts) do
[img_nonce, style_nonce, script_nonce] =
for _i <- 1..3, do: 16 |> :crypto.strong_rand_bytes() |> Base.url_encode64(padding: false)
style_nonce = nonce()
script_nonce = noonce()

conn
|> assign(:img_csp_nonce, img_nonce)
|> assign(:style_csp_nonce, style_nonce)
|> assign(:script_csp_nonce, script_nonce)
|> put_resp_header(
"content-security-policy",
"default-src; script-src 'nonce-#{script_nonce}'; style-src-elem 'nonce-#{style_nonce}'; " <>
"img-src 'nonce-#{img_nonce}' data: ; font-src data: ; connect-src 'self'; frame-src 'self' ;"
"img-src data: ; font-src data: ; connect-src 'self'; frame-src 'self' ;"
)
end
end
Expand Down
2 changes: 1 addition & 1 deletion lib/phoenix/live_dashboard/layout_view.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ defmodule Phoenix.LiveDashboard.LayoutView do

def render("dash.html", assigns), do: dash(assigns)

defp csp_nonce(conn, type) when type in [:script, :style, :img] do
defp csp_nonce(conn, type) when type in [:script, :style] do
csp_nonce_assign_key = conn.private.csp_nonce_assign_key[type]
conn.assigns[csp_nonce_assign_key]
end
Expand Down
8 changes: 4 additions & 4 deletions lib/phoenix/live_dashboard/page_builder.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,10 +172,10 @@ defmodule Phoenix.LiveDashboard.PageBuilder do
> You should use those when including scripts or styles like this:
>
> ```heex
> <script nonce={@csp_nonces[:script]}>...</script>
> <script nonce={@csp_nonces[:script]} src="..."></script>
> <style nonce={@csp_nonces[:style]}>...</style>
> <link rel="stylesheet" href="..." nonce={@csp_nonces[:style]}>
> <script nonce={@csp_nonces.script}>...</script>
> <script nonce={@csp_nonces.script} src="..."></script>
> <style nonce={@csp_nonces.style}>...</style>
> <link rel="stylesheet" href="..." nonce={@csp_nonces.style}>
> ```
>
> This ensures that your custom page can be used when a CSP is in place using the mechanism
Expand Down
3 changes: 1 addition & 2 deletions lib/phoenix/live_dashboard/router.ex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,7 +300,7 @@ defmodule Phoenix.LiveDashboard.Router do
csp_nonce_assign_key =
case options[:csp_nonce_assign_key] do
nil -> nil
key when is_atom(key) -> %{img: key, style: key, script: key}
key when is_atom(key) -> %{style: key, script: key}
%{} = keys -> Map.take(keys, [:img, :style, :script])
end

Expand Down Expand Up @@ -404,7 +404,6 @@ defmodule Phoenix.LiveDashboard.Router do
"allow_destructive_actions" => allow_destructive_actions,
"requirements" => requirements |> Enum.concat() |> Enum.uniq(),
"csp_nonces" => %{
img: conn.assigns[csp_nonce_assign_key[:img]],
style: conn.assigns[csp_nonce_assign_key[:style]],
script: conn.assigns[csp_nonce_assign_key[:script]]
}
Expand Down
2 changes: 1 addition & 1 deletion test/phoenix/live_dashboard/components/title_bar_component_test.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ defmodule Phoenix.LiveDashboard.TitleBarComponentTest do
render_component(TitleBarComponent,
percent: 0.1,
class: "test-class",
csp_nonces: %{img: "img_nonce", style: "style_nonce", script: "script_nonce"},
csp_nonces: %{style: "style_nonce", script: "script_nonce"},
dom_id: "title-bar",
inner_block: [%{slot: :__inner_block__, inner_block: fn _, _ -> "123" end}]
)
Expand Down
4 changes: 2 additions & 2 deletions test/phoenix/live_dashboard/page_builder_test.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ defmodule Phoenix.LiveDashboard.PageBuilderTest do
hint="test-hint"
inner_hint="test-inner-hint"
total_formatter={&"test-format-#{&1}"}
csp_nonces={%{img: "img_nonce", style: "style_nonce", script: "script_nonce"}}
csp_nonces={%{style: "style_nonce", script: "script_nonce"}}
/>
""")

Expand Down Expand Up @@ -149,7 +149,7 @@ defmodule Phoenix.LiveDashboard.PageBuilderTest do
dom_id="test-dom-id"
title="test-title"
hint="test-hint"
csp_nonces={%{img: "img_nonce", style: "style_nonce", script: "script_nonce"}}
csp_nonces={%{style: "style_nonce", script: "script_nonce"}}
>
<:usage
current={10}
Expand Down
21 changes: 7 additions & 14 deletions test/phoenix/live_dashboard/router_test.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ defmodule Phoenix.LiveDashboard.RouterTest do
%{
live_socket_path: "/custom/live",
csp_nonce_assign_key: %{
img: :csp_nonce,
style: :csp_nonce,
script: :csp_nonce
}
Expand All @@ -54,18 +53,16 @@ defmodule Phoenix.LiveDashboard.RouterTest do
assert route_opts(
live_socket_path: "/custom/live",
csp_nonce_assign_key: %{
img: :img_csp_none,
style: :style_csp_none,
script: :script_csp_none,
style: :style_csp_nonce,
script: :script_csp_nonce,
other: :unused
}
)[:private] ==
%{
live_socket_path: "/custom/live",
csp_nonce_assign_key: %{
img: :img_csp_none,
style: :style_csp_none,
script: :script_csp_none
style: :style_csp_nonce,
script: :script_csp_nonce
}
}
end
Expand Down Expand Up @@ -363,37 +360,33 @@ defmodule Phoenix.LiveDashboard.RouterTest do

test "loads nonces when key present" do
assert %{
"csp_nonces" => %{img: "img_nonce", script: "script_nonce", style: "style_nonce"}
"csp_nonces" => %{script: "script_nonce", style: "style_nonce"}
} =
build_conn()
|> Plug.Conn.assign(:img_nonce, "img_nonce")
|> Plug.Conn.assign(:style_nonce, "style_nonce")
|> Plug.Conn.assign(:script_nonce, "script_nonce")
|> csp_session(%{
img: :img_nonce,
style: :style_nonce,
script: :script_nonce
})
end

test "loads nil nonces when assign present" do
assert %{
"csp_nonces" => %{img: nil, script: nil, style: nil}
"csp_nonces" => %{script: nil, style: nil}
} =
build_conn()
|> csp_session(%{
img: :img_nonce,
style: :style_nonce,
script: :script_nonce
})
end

test "loads nil nonces when key absent" do
assert %{
"csp_nonces" => %{img: nil, script: nil, style: nil}
"csp_nonces" => %{script: nil, style: nil}
} =
build_conn()
|> Plug.Conn.assign(:img_nonce, "img_nonce")
|> Plug.Conn.assign(:style_nonce, "style_nonce")
|> Plug.Conn.assign(:script_nonce, "script_nonce")
|> csp_session()
Expand Down
3 changes: 0 additions & 3 deletions test/phoenix/live_dashboard_test.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,16 @@ defmodule Phoenix.LiveDashboardTest do
test "embeds csp nonces" do
html =
build_conn()
|> assign(:img_csp_nonce, "img_nonce")
|> assign(:script_csp_nonce, "script_nonce")
|> assign(:style_csp_nonce, "style_nonce")
|> get("/dashboard/home")
|> html_response(200)

refute html =~ "img_nonce"
refute html =~ "script_nonce"
refute html =~ "style_nonce"

html =
build_conn()
|> assign(:img_csp_nonce, "img_nonce")
|> assign(:script_csp_nonce, "script_nonce")
|> assign(:style_csp_nonce, "style_nonce")
|> get("/config/nonode@nohost/home")
Expand Down
1 change: 0 additions & 1 deletion test/test_helper.exs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ defmodule Phoenix.LiveDashboardTest.Router do
live_dashboard "/config",
live_socket_path: "/custom/live",
csp_nonce_assign_key: %{
img: :img_csp_nonce,
style: :style_csp_nonce,
script: :script_csp_nonce
},
Expand Down

0 comments on commit 149d23f

Please sign in to comment.