Skip to content

Mockup requires unsafe-eval for script-src rule when configuring CSP header #1306

New issue
New issue
Open
#1315
Open
Mockup requires unsafe-eval for script-src rule when configuring CSP header#1306
#1315
@frapell

Description

@frapell
frapell
opened on Apr 14, 2023

This can be reproduced as follows:

  1. Create a docker-compose.yml with this contents:
version: '2'

services:
  nginx:
    container_name: nginx
    image: nginx:latest
    ports:
      - "80:80"
    volumes:
      - ${PWD}/nginx.conf:/etc/nginx/conf.d/default.conf
    network_mode: "host"
  1. Next to it, create a nginx.conf with this:
server {
    listen 80;
    server_name test_csp.plone.com;

    add_header Content-Security-Policy "script-src 'self';";

    location / {
        limit_except GET POST { deny  all; }
        rewrite ^(.*)$ /VirtualHostBase/http/test_csp.plone.com:80/Plone/VirtualHostRoot$1 break;
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "";
    }

}
  1. Edit your /etc/hosts and configure test_csp.plone.com to point at 127.0.0.1
  2. Start a fresh Plone listening in 8080 and create an empty Classic Plone site
  3. Where you put the docker-compose.yml and nginx.conf run docker compose up

At this point, you should be able to open your browser and point to http://test_csp.plone.com/ to reach your site. If you try to login by opening the login modal, you will not be able to, and you can see an error message in the developer tools

Uncaught EvalError: call to Function() blocked by CSP
   dr Underscore
   render modal.js:427
   render modal.js:901
   _show modal.js:971
   ajaxXHR modal.js:616
   jQuery 6
   createAjaxModal modal.js:608
   show modal.js:908
   init modal.js:592
   jQuery 8
   init modal.js:589
   d base.js:59
   n base.js:105
   c base.js:40
   initPattern registry.js:119
   scan registry.js:200
   init registry.js:71
   jQuery 9
   init registry.js:64
   17704 patterns.js:74
   Webpack 5
template.js:87:13
   dr Underscore
   render modal.js:427
   render modal.js:901
   _show modal.js:971
   ajaxXHR modal.js:616
   jQuery 6
   createAjaxModal modal.js:608
   show modal.js:908
   init modal.js:592
   jQuery 8
   init modal.js:589
   d base.js:59
   n base.js:105
   c base.js:40
   initPattern registry.js:119
   scan registry.js:200
   init registry.js:71
   jQuery 9
   init registry.js:64
   17704 patterns.js:74
   Webpack 5

Now, if you edit the nginx.conf and change the line

    add_header Content-Security-Policy "script-src 'self';";

To this

    add_header Content-Security-Policy "script-src 'self' 'unsafe-eval';";

Then kill nginx and run docker compose up , you can now see the login modal and everything works fine.

This issue is related to jashkenas/underscore#906 and jashkenas/underscore#2273 (Which basically are the same issue).

I don't know if this can be exploited in any way, however it is an issue, being that unsafe-eval completely blocks the usage of _.template.
On the second issue, an alternative is proposed (https://github.com/silvermine/undertemplate), would moving to this be acceptable?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions