Fossil User Forum

Overriding default CSP with th1-setup hook with nonce support
Login

Overriding default CSP with th1-setup hook with nonce support

Chronological

Overriding default CSP with th1-setup hook with nonce support

(1) By Warren Young (wyoung) on 2019-09-02 17:55:31 [link] [source]

I'm trying to override the default CSP via the th1-setup hook, which works for many cases:

    $ fossil set th1-setup "set default_csp \"default-src: 'self'\""

This is based on an example in the new default CSP docs with the curly brace quoting exchanged for double-quoting. This makes the shell quoting more difficult, requiring the backslashes in the command above, but TH1 doesn't expand variables inside curly braces, so we have to use double quotes. We need variable expansion if we want to replicate the current default CSP.

This command should give me Fossil's default CSP:

    $ fossil set th1-setup "set default_csp \"default-src 'self' data: ; script-src 'self' 'nonce-\$nonce' ; style-src 'self' 'inline'\""

(Please excuse the long lines. We've got three different languages in a single line here, each with their own white space and quoting rules: shell, TH1, and CSP. Getting it to run at all is a neat trick. Getting it to look good as well is asking a bit much.)

If you run that and then reload a fossil ui generated page, up at the top in bold red text it complains, "ERROR: no such variable: nonce"!

Excuse me? There most certainly is a TH1 variable called nonce! Apparently the TH1 skinning variables aren't defined yet at the point of th1-setup execution.

All right, let's get clever:

    $ fossil set th1-setup "set nonce [randhex 8] ; set default_csp \"default-src 'self' data: ; script-src 'self' 'nonce-\$nonce' ; style-src 'self' 'inline'\""

The bogus red error message goes away, and you get something like nonce-1b80ad75a4df52f6 in the CSP part of the document <head>, but Fossil then apparently blindly stomps on my $nonce variable and subs that value into later <script nonce="$nonce"> blocks, so now they cause CSP errors.

I don't particularly want to override the TH1 $nonce variable like that anyway. I want my prior example to work, with $nonce defined before th1-setup gets evaluated on the page.

(2.1) Originally by anonymous with edits by mistachkin on 2019-09-03 17:23:46 from 2.0 in reply to 1 [source]

I’m using something like the following in th1-setup:

set default_csp "default-src 'self' data: ; script-src 'self' 'nonce-[nonce]' ; style-src 'self' 'unsafe-inline'; img-src 'self'"

(Mistachkin)

(3) By Warren Young (wyoung) on 2019-09-03 19:37:03 in reply to 2.1 [link] [source]

Ah, you're calling the nonce proc instead of referring to the $nonce variable.

Thanks for the tip...but I hope someone decides that the TH1 skinning variables can be defined earlier in the request process, so both methods work.

(4) By mistachkin on 2019-09-03 19:56:49 in reply to 3 [link] [source] 

There is a bit of a chicken-and-egg problem there.  The TH1 styling engine
and its associated variables are not initialized until th1-setup is complete,
because the th1-setup script is run as part of the TH1 interpreter creation
process.

Adding the [nonce] command was the best available solution, i.e. the $nonce
variable should be available from within the header/page/footer itself, just
not from the th1-setup script.

Of course, we can consider further enhancements later.