Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Theme CSP nonce should be removed #15973

Closed
Antti-Palola opened this issue Oct 25, 2022 · 4 comments
Closed

[Feature Request] Theme CSP nonce should be removed #15973

Antti-Palola opened this issue Oct 25, 2022 · 4 comments
Labels
S: stale This issue is untriaged and hasn't seen any activity in at least six months. S: triage

Comments

@Antti-Palola
Copy link
Contributor

Antti-Palola commented Oct 25, 2022
edited
Loading

Problem to solve

Theme cspNonce gives sense of false security. The nonce should be regenerated for every request or it is really not any more secure than unsafe-inline as the attacker could use the static nonce in their payload.

Proposed solution

The only real solutions are to either use a CSP hash or not generate a theme at all.
This should be documented so people find the correct solution.

The generated theme hash should not change between builds so it would need to be regenerated only if theme configuration changes.
@SegaraRai
Copy link

+1 for this. A nonce should not be a fixed value.

FWIW I managed to load Vuetify at build time and generate a CSP.
It appears to be working fine as of now.
https://github.com/SegaraRai/vuetify3-with-csp

@github-actions github-actions bot added the S: stale This issue is untriaged and hasn't seen any activity in at least six months. label May 19, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 5, 2024
@sbernard31
Copy link

sbernard31 commented Jan 8, 2025
edited
Loading

Theme cspNonce gives sense of false security. The nonce should be regenerated for every request or it is really not any more secure than unsafe-inline as the attacker could use the static nonce in their payload.

⚠️ I pretty new on this topic but reading CSP nonce Guide, I also understand that ☝️ .

So, I don't think this was a good idea to have closed this issue.

I saw several users asking for help to solve unsafe-inline issue for style on vuetify discord and they are often encouraged to use the current "nonce" way.

The only real solutions are to either use a CSP hash or not generate a theme at all.
This should be documented so people find the correct solution.

The generated theme hash should not change between builds so it would need to be regenerated only if theme configuration changes.

This also makes sense to me.
For not generate a theme at all, it can be done like this : #3349 (comment) but unless I missed something when theme is deactivate the application will probably looks like expected...
For hash, it could help to have a look at Using a hash with CSP

@sbernard31
Copy link

sbernard31 commented Jan 8, 2025
edited
Loading

(I add link to a related discord discussion : https://discord.com/channels/340160225338195969/1143844905660190790)

@sbernard31 sbernard31 mentioned this issue Jan 8, 2025
Open
@sbernard31
Copy link

(Just in case, I ping @johnleider)

@sbernard31 sbernard31 mentioned this issue Jan 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
S: stale This issue is untriaged and hasn't seen any activity in at least six months. S: triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nekosaur @sbernard31 @SegaraRai @Antti-Palola