Nonce seems to be static - recommanded conf is dangerous for static website generators #121
Description
Description
Trying to use this plugin within a static website is opening security holes by default.
For example if we follow #53, it will add static nonces on a static website.
I would recommend to disable nonces by default, and let the user enable them on when they know that they wont pack a static website
What type of issue is this? (place an x in one of the [ ])
- bug
- enhancement (feature request)
- question
- documentation related
- testing related
- discussion
Requirements (place an x in each of the [ ])
- I've read and understood the Contributing guidelines and have done my best effort to follow them.
- I've read and agree to the Code of Conduct.
- I've searched for any related issues and avoided creating a duplicate issue.
Bug Report
Filling out the following details about bugs will help us solve your issue sooner.
Reproducible in:
slackhq/csp-html-webpack-plugin version: 5.1.0
Steps to reproduce:
- create static website, such with as
npx create-react-app my-app --template typescript - Install and wire the plugin
npm install react-app-rewired csp-html-webpack-plugin --save-dev - Configure webpack overrides in
config-overrides.js
const CspHtmlWebpackPlugin = require("csp-html-webpack-plugin");
module.exports = function override(config, env) {
config.plugins.push(
new CspHtmlWebpackPlugin({
"script-src": "",
"style-src": "",
})
);
return config;
};- Build with
react-app-rewired build - Check
build/index.htmlfile
Expected result:
Nonces are not static. At the very least, they should be generated by an inline script and injected
Actual result:
Static nonces are generated.
Uploading this to a CDN will allow anyone to grab the nunce and re-use it, bypassing the CSP
<meta http-equiv="Content-Security-Policy"
content="base-uri 'self'; object-src 'none'; script-src 'nonce-csu9vwLV51tCaN6biAAJFg=='; style-src 'nonce-vAVCeRTmI/cROWHcZcycQA=='">