Problem/Motivation

Hello,
I want to share an experience when you want to use `strict-dynamic` in your CSP.
You need to use `nonce` or `hash` properties on yours scripts.

Advantages: The purpose to use nonce and hash in CSP with strict-dynamic source list keyword allows you to simplify your CSP policy by favoring hashes and nonce over domain host lists.

Actually, i have a custom module to perform extras functionality to the CSP module.
I need to overriding asset.js.collection_renderer service from core only with decorate to place nonce property to script declared from Drupal Libraries.
The class override the method render() to achieve that:

  /**
   * {@inheritdoc}
   *
   * Add nonce value to assets with src value.
   */
  public function render(array $js_assets): array {
    $placeholderKey = $this->nonce->getValue();

    // Render the core assets.
    $elements = $this->jsCollectionRenderer->render($js_assets);

    // Add nonce value to assets with src value.
    foreach ($elements as &$element) {
      // Attributes may only be set if this script is output independently.
      if (!empty($element['#attributes']['src'])) {
        $element['#attributes']['nonce'] = $placeholderKey;
      }
    }

    return $elements;
  }

Perhaps, the solution exist already on CSP module, but i didn't find it, despite i search deeply.

Is it possible, to discuss about this use case ?
It could be benefic that this extra was part of the module.

Thanks

Comments

ommanipadmehum created an issue. See original summary.

gapple’s picture

gapple
he/they
Primary language English
commented

There's some discussion of strict-dynamic in #3086924: Allow script / style by nonce.

Since the ability to use strict-dynamic is dependent on the libraries a site uses, and previously even Drupal Core itself was incompatible, there hasn't been work to integrate it as a feature in the module.
There was also originally the issue of browser support for strict-dynamic, but I don't think that's still a concern with all modern browsers now supporting CSP 3.

I think core support, csp modules features, and browser support have all progressed enough that restoring strict-dynamic as a configurable option on the module is feasible now, but it will need some thought for implementation given that the target user for the config form is site builders. The effect of using it needs to be clear, reporting of violations visible, and easily reversible.

ommanipadmehum’s picture

ommanipadmehum commented

Thanks for the answer.
May be we can close this issue as duplicate of issue #3086924: Allow script / style by nonce to continue in it.

gapple’s picture

gapple
he/they
Primary language English
commented
Title: Use case: strict-dynamic and nonce » Option to use strict-dynamic for scripts
Status: Active » Postponed
Related issues: +#3086924: Allow script / style by nonce

I'll postpone this issue as a separate item to enable 'strict-dynamic' after making it possible to use a nonce for library scripts.

alieffring’s picture

alieffring commented

Here's what I have done to get nonces on library scripts so that I can use `strict-dynamic`:

Create a service to override the core JsCollectionRenderer:

<?php

namespace Drupal\mymodule\Asset;

use Drupal\Component\Datetime\TimeInterface;
use Drupal\Core\Asset\AssetCollectionRendererInterface;
use Drupal\Core\Asset\AssetQueryStringInterface;
use Drupal\Core\File\FileUrlGeneratorInterface;
use Drupal\Core\Asset\JsCollectionRenderer as CoreJsCollectionRenderer;
use Drupal\csp\NonceBuilder;

/**
 * Renders JavaScript assets.
 */
class JsCollectionRenderer implements AssetCollectionRendererInterface {

  protected AssetCollectionRendererInterface $coreCollectionRenderer;

  /**
   * Constructs a JsCollectionRenderer.
   *
   * @param \Drupal\Core\Asset\AssetQueryStringInterface $assetQueryString
   *   The asset query string.
   * @param \Drupal\Core\File\FileUrlGeneratorInterface $fileUrlGenerator
   *   The file URL generator.
   * @param \Drupal\Component\Datetime\TimeInterface $time
   *    The time service.
   * @param \Drupal\csp\NonceBuilder $nonceBuilder
   *    The nonce builder service.
   */
  public function __construct(
    protected AssetQueryStringInterface $assetQueryString,
    protected FileUrlGeneratorInterface $fileUrlGenerator,
    protected TimeInterface $time,
    protected NonceBuilder $nonceBuilder,
  ) {
    // Core services have a tendency to acquire the `final` keyword, so rather
    // than extend, we will encapsulate.
    $this->coreCollectionRenderer = new CoreJsCollectionRenderer($assetQueryString, $fileUrlGenerator, $time);
  }

  /**
   * {@inheritdoc}
   *
   * Apply nonces to all generated script elements.
   */
  public function render(array $js_assets) {
    $elements = $this->coreCollectionRenderer->render($js_assets);
    $nonce_placeholder = $this->nonceBuilder->getPlaceholderKey();
    foreach ($elements as &$element) {
      $element['#attributes']['nonce'] = $nonce_placeholder;
      $element['#attached']['placeholders'][$nonce_placeholder] =
        ['#lazy_builder' => ['csp.nonce_builder:renderNonce', []]];
    }

    return $elements;
  }

}

And implement a service provider to apply the override:

<?php

namespace Drupal\mymodule;

use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\DependencyInjection\ServiceModifierInterface;
use Drupal\mymodule\Asset\JsCollectionRenderer;
use Symfony\Component\DependencyInjection\Reference;

/**
 * Override JsCollectionRenderer service to add nonces to library scripts.
 *
 * @see https://www.drupal.org/node/2026959
 */
final class MymoduleServiceProvider implements ServiceModifierInterface {

  /**
   * {@inheritdoc}
   */
  public function alter(ContainerBuilder $container): void {
    if ($container->hasDefinition('asset.js.collection_renderer')) {
     $container->getDefinition('asset.js.collection_renderer')
       ->addArgument(new Reference('csp.nonce_builder'))
       ->setClass(JsCollectionRenderer::class);
    }
  }

}

I don't know if this is the route a contrib module would want to take, but it seems to get the job done in a custom module.

gapple’s picture

gapple
he/they
Primary language English
commented

Thanks for the example code @alieffring

The decorator pattern should be applied through the service definition to ensure it properly stacks with any other potential service decorators from other modules. CSP's html_response.attachments_processor.csp service is an example of implementing this pattern.
https://symfony.com/doc/current/service_container/service_decoration.html

I still have to evaluate if it's possible/beneficial to apply the nonce earlier in the rendering pipeline and propagate it through. Theoretically the JsCollectionRenderer doesn't have assurance that the scripts it's given have come through from library definitions, but I'm not sure there's an opportunity to insert additional script urls that wouldn't also allow either modifying the library definitions or applying a nonce/hash anyways. The biggest risk is unescaped HTML that wouldn't pass through the renderer.