New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 702612 link

Starred by 1 user
Status: Fixed
Merged: issue 627762
Owner:
ksakamoto@chromium.org
Closed: Sep 2017
Cc:
mkwst@chromium.org
jmukthavaram@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

CSP nonce is not applied to Link rel=preload

Reported by imp...@gmail.com, Mar 17 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3044.0 Safari/537.36

Steps to reproduce the problem:
The following HTML loaded with the content-security-policy header 

Content-Security-Policy:script-src 'strict-dynamic' 'unsafe-inline' 'nonce-753d7a5f9de055a3db148c2da1719867';

<!DOCTYPE html>
<html lang="en">
    <head>
        <link as="script" crossorigin="anonymous" href="/js/layout.js'" rel="preload" nonce="753d7a5f9de055a3db148c2da1719867" />
    </head>
    <body></body>
</html>

produces the following error :

Refused to load the script 'http://localhost/js/layout.js' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'unsafe-inline' 'nonce-753d7a5f9de055a3db148c2da1719867'". 'strict-dynamic' is present, so host-based whitelisting is disabled.

What is the expected behavior?
No violation

What went wrong?
The `Link` tag should use the `nonce` attribute to preload the script, no CSP violation should be triggered

Did this work before? N/A 

Does this work in other browsers? N/A

Chrome version: 59.0.3044.0  Channel: canary
OS Version: OS X 10.11.6
Flash Version: 

Might be related to https://bugs.chromium.org/p/chromium/issues/detail?id=654557

Comment 1 by rsesek@chromium.org, Mar 17 2017

Components: Blink>SecurityFeature>ContentSecurityPolicy

Comment 2 by ranjitkan@chromium.org, Mar 21 2017

Labels: Needs-Triage-M59

Comment 3 by jmukthavaram@chromium.org, Mar 24 2017

Cc: jmukthavaram@chromium.org mkwst@chromium.org
Labels: Needs-Feedback
mkwst@, Could you please confirm this issue is similar to 654557/627762.
Please confirm.
Thanks.

Comment 4 by imp...@gmail.com, Mar 24 2017 

Yes, I confirm it's similar to 654557
I mentioned it in my original message:

> Might be related to https://bugs.chromium.org/p/chromium/issues/detail?id=654557
Project Member

Comment 5 by sheriffbot@chromium.org, Mar 24 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "jmukthavaram@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by sureshkumari@chromium.org, Mar 27 2017

Mergedinto: 627762
Status: Duplicate (was: Unconfirmed)
Seems this issue is similar to #627762, hence merging this issue.
Please feel free to Undupe if is not similar.

Thanks..

Comment 7 by ksakamoto@chromium.org, Sep 6 2017

Cc: ksakamoto@chromium.org
Components: Blink>Loader
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Windows
Status: Available (was: Duplicate)
Summary: CSP nonce is not applied to Link rel=preload (was: CSP nonce is applied to Link el=preload)
Re-opening, the nonce attribute of <link rel=preload> is still not respected.

Comment 8 by ksakamoto@chromium.org, Sep 19 2017

Cc: -ksakamoto@chromium.org
Owner: ksakamoto@chromium.org
Status: Started (was: Available)
Actually, CSP violation is reported but script resource is preloaded.

Here's what happening:

1. HTML preload scanner scans the <link rel=preload> tag. PreloadScanner knows about nonce, so it creates a PreloadRequest with nonce parameter set.
2. When <link> is parsed and attached to the DOM, LinkLoader creates another request, without setting the nonce parameter.
3. Usually, request of 2. is merged to the request of 1. at ResourceFetcher (in MatchPreload()), but in this case, request of 2 is blocked by CSP before it's merged.

As a result, script is preloaded by 1. but CSP violation is reported by 2. This is very confusing. Also, dynamically created link rel=preload element doesn't work.

We should teach LinkLoader about the nonce atteribute. I'll create a patch.

Comment 9 by y...@yoav.ws, Sep 22 2017 

I think it's significantly more dev friendly to let developers preload the script without a nonce and verify nonces at use time. Is there a particular security issue with that approach?

I agree current situation is confusing though. I'd prefer to ignore nonces for preloads at the CSP level. Mike, WDYT?

Comment 10 by mkwst@chromium.org, Sep 22 2017 

Ignoring nonces for preloads completely would make it ~impossible to defend against data exfiltration. Without thinking about it too hard, teaching `LinkLoader` about the attribute seems like a better way to approach the problem. Why would you prefer the opposite, Yoav?

Comment 11 by y...@yoav.ws, Sep 22 2017 

Oops, didn't think about data exfiltration (is `prefetch` bound to a CSP policy? I forget...)

The reason for my preference is dev ergonomics (so not forcing devs to add the nonce everywhere if it's not needed). If there's an actual security/leak concern here, then I retract my objections.
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 27 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dc84d178bb099bb55a6ef8948a642fe1194bf956

commit dc84d178bb099bb55a6ef8948a642fe1194bf956
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Wed Sep 27 09:46:07 2017

Teach LinkLoader about the 'nonce' attribute

This patch makes LinkLoader propagate the 'nonce' parameter from
link rel=preload, both from element and header. This matches the
standard [1], and consistent with HTMLPreloadScanner's behavior.

[1] https://html.spec.whatwg.org/#obtaining-a-resource-from-a-link-element

Bug:  702612 
Change-Id: Ib28e88c49754d427abe96c3bf0145621132592a7
Reviewed-on: https://chromium-review.googlesource.com/676769
Reviewed-by: Yoav Weiss <yoav@yoav.ws>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504613}
[add] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/LayoutTests/external/wpt/preload/dynamic-adding-preload-nonce.html
[add] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/LayoutTests/external/wpt/preload/dynamic-adding-preload-nonce.html.headers
[add] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/LayoutTests/external/wpt/preload/link-header-preload-nonce.html
[add] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/LayoutTests/external/wpt/preload/link-header-preload-nonce.html.headers
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/core/html/HTMLLinkElement.h
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/core/html/LinkStyle.cpp
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/core/loader/LinkLoader.cpp
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/core/loader/LinkLoader.h
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/core/loader/LinkLoaderTest.cpp
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/platform/loader/LinkHeader.cpp
[modify] https://crrev.com/dc84d178bb099bb55a6ef8948a642fe1194bf956/third_party/WebKit/Source/platform/loader/LinkHeader.h

Comment 13 by ksakamoto@chromium.org, Sep 28 2017

Status: Fixed (was: Started)

Sign in to add a comment