Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5265

Add a CSP provider class, which allows the users to define CSPs and provide a nonce used for strict-dynamic support

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Won't Do
    • Icon: Major Major
    • 10.0.0
    • 9.6.2
    • None
    • Security Level: Jimmy

      User Story

      As an webmaster, I want to use CSP to secure my application against attacks.

      Currently ZK's client-engine requires the following CSP headers: unsafe-inline, unsafe-eval

       

      These SCP rules are necessary for the Client engine to execute scripts dynamically by creating new script elements in the page, and by creating new Functions for JSON eval and Widget $define instantiation

      The goal is to allow the developer to set stricter CSP, which do not allow all sources unsafe-eval or unsafe-inline.

      Acceptance Criteria

      Instead of allowing the creation of dynamic scripts through unsafe-inline, the framework may be able to use a nonce to mark all of the framework-loaded scripts, then allow them with the CSP strict-dynamic.
      When using a nonce, the same nonce (random ID) is declared in the CSP header, and as part of the script tags added to the page.
      This mark the scripts as actively authorized to perform the eval and inline functions.

      Since strict-dynamic is a "relatively new" feature of CSP3, this should not be enabled by default. In the default use case (no user config), the ZK engine should output the same headers and scripts as current specs.

      The developer should be able to set a library policy or config (default false) to enable the following two features:

      • The provided class should be able to return a nonce, based on a provided execution
      • The provided class should get access to an execution, in order to define this execution's CSP header.

      String getCspNonce(Excecution exec)
      void processRequestHeader(Excecution exec)

      ZK should not set CSP info itself, since only one CSP header may be added per response.
      Instead, it should give the opportunity to the developer to access the execution, provide the relevant headers, and generate a Nonces which will automatically be added to all ZK loaded scripts
       

      Updated:

      After POC testing, strict-dynamic could be use for this purpose, but require additional elements to be used conveniently.

      Since the CSP headers are declared as response header, a good option would be to allow the developer to define a class "CSP provider" with a void process(Execution exec), which will allow the user to define their own CSP values.

      This CSP provider should also have a "string getNonce()" method implementable by the developer. If this this method returns a non-null non empty string, during ZK lang script loading, ZK should provide a nonce attribute matching this string.

      If ZK provides a default version of this class, the nonce should be generated for each new page request. (nonce should not be reused between different documents)

       

      	<system-config>
	    <csp-header-generator-class>my.CspGenerator</csp-header-generator-class>
	</system-config>

      Details

      Attached: POC project
      Note: the POC is a early "hard-coded" implementation, and not representative of the intended state.

      strict content detailed explanation
      https://content-security-policy.com/strict-dynamic/

      useful tool to evaluate if a CSP policy is valid
       https://csp-evaluator.withgoogle.com/

       

        1. poc.zip
          46 kB

            MDuchemin MDuchemin
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: