Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Appears to be incompatible with strict-dynamic content security policy #817

Open
InterLinked1 opened this issue Aug 21, 2020 · 2 comments
Open
Labels

Comments

@InterLinked1
Copy link

I was doing some testing today and I noticed that the pages utilizing showdown.js were not working (the dynamic Markdown rendering). I investigated and tweaked some things with my Content Security Policy header, which is presently whitelist based. I tried adding strict-dynamic to it and then added a nonce to the script call (showdown.min.js) to see if that would fix it. It did not. The only way I could get it to work was by leaving unsafe-inline in my CSP but removing strict-dynamic and the nonce so that unsafe-inline could take full effect. The whole idea of strict-dynamic and nonces are that a properly written arbitrary script should be able to work, but either with or without strict-dynamic, this library does not work. Effectively, this project is going to break over time further if not rewritten - hoping this can be addressed! Is there a reason this can't be compatible with CSP3? Wondering if I should wait for it to become compatible or just apply a different CSP for pages utilizing showdownjs which uses unsafe-inline only on those pages.

@SyntaxRules
Copy link
Member

Forgive my ignorance, is this because of ShowdownsXSS issue? https://github.com/showdownjs/showdown#xss-vulnerability

@InterLinked1
Copy link
Author

Not 100% sure... CSPs dictate what code should be allowed to execute on a page, and if I recall correctly Showdown required extremely liberal rules to be set up to allow Showdown to work, which are considered a bad security practice today. CSPs help prevent XSS, though, so that may be related: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

@tivie tivie pinned this issue Apr 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants