Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 579074

Summary: Support Content Security Policy (a.k.a CSP) to help protect against XSS
Product: [RT] RAP Reporter: Sebastien Arod <sebastien.arod>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: georg.breitschopf, mknauer
Version: 3.20   
Target Milestone: 3.21   
Hardware: PC   
OS: Windows 10   
URL: https://github.com/eclipse-rap/org.eclipse.rap/issues/12
See Also: https://git.eclipse.org/r/c/rap/org.eclipse.rap/+/192051
https://git.eclipse.org/c/rap/org.eclipse.rap.git/commit/?id=51e930390c24c37c9d90020cb6e3546ae66640e2
https://git.eclipse.org/r/c/rap/org.eclipse.rap/+/192466
https://git.eclipse.org/c/rap/org.eclipse.rap.git/commit/?id=74ad8f5f4fca797c87c15b83c346f90e2c302d1e
Whiteboard: github

Description Sebastien Arod CLA 2022-03-03 11:33:31 EST 
If using a CSP header with RAP it would need to be configured with a CSP script-src directive with 'self' 'unsafe-inline' 'unsafe-eval'.

Such a config is very permissive and removes most of the security provided by CSP.

https://csp-evaluator.withgoogle.com/ allows to evaluate how a CSP config improves XSS protection and currently rates scripts-src values as follows:
 * 'unsafe-inline' as High severity: 'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
 * 'self' as Possible medium severity finding: 'self' can be problematic if you host JSONP, Angular or user uploaded files.
 * 'unsafe-eval' as Possible medium severity finding: 'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().


Ideally the script-src tag should not be configured with any of 'unsafe-inline' 'self' or 'unsafe-eval'. 
'unsafe-inline' is required because  org.eclipse.rap.rwt.internal.service.StartupPage generates script element with inline code. 
'self' is required because org.eclipse.rap.rwt.internal.service.StartupPage  generates script element with a src from server.
'unsafe-eval' is required because RAP uses the eval() function for several features (Browser widget, client scripting and JavaScriptExecutor, BrowserFunction )


The proposed enhancement is to support configuring RWTServlet to generate a "strict" CSP header:

When CSP generation is enabled RWTServlet.sendStartupContent would:
* generate a nonce on request
* Add a CSP header to the response. Content-Security-Policy: default-src 'self'; script-src nonce-<generatedvalue> 'unsafe-eval'; style-src 'self' 'unsafe-inline'.
* pass the generated nonce to the StartupPage so that it can append the nonce to the <script> elements.


Additionally:
* RWTServlet could be configured to remove unsafe-eval from the src-script. 
In such a situation RAP features relying on javascript eval() would become unusable.
* RWTServlet could be configured to add other CSP directives like frame-ancestors
Comment 1 Ivan Furnadjiev CLA 2022-03-04 03:13:22 EST 
Hi Sebastien, 
in order to clear the specification I have several questions:
1. CSP can be applied with HTTP response header OR with <meta> tag in the HTML document. Do you know any + or - for using <meta> tag instead of response header?
2. It's not clear for me if nonce generated value must be different for different <script> tags or single value can be used on all of them.
3. Is the generated nonce value must be UI session unique?
Comment 2 Sebastien Arod CLA 2022-03-05 02:53:15 EST 
(In reply to Ivan Furnadjiev from comment #1)
> Hi Sebastien, 
> in order to clear the specification I have several questions:
> 1. CSP can be applied with HTTP response header OR with <meta> tag in the
> HTML document. Do you know any + or - for using <meta> tag instead of
> response header?
> 2. It's not clear for me if nonce generated value must be different for
> different <script> tags or single value can be used on all of them.
> 3. Is the generated nonce value must be UI session unique?

Hi Ivan,
1. Some CSP features are not supported when using meta tag (see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#3-content-security-policy-meta-tag for more details). However we may not need them in the context of RAP so it may be enough to use the meta tag if it's simpler to setup  
2. Using a single nonce per request is enough. No need to have one per script tag
3. A new unique nonce must be generated for each request of the statup html. It should be ranodmly generated using a cryptographically strong random (SecureRandom for instance or UUID.randomUUID()) to prevent guessing the nonce value see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#nonces
Comment 3 Ivan Furnadjiev CLA 2022-03-05 03:40:51 EST 
Thank you for the answer. And one last more "complex" question. RAP has a ClientFileLoader client srvice, which allows to load JS and CSS files at runtime. This is mainly important for custom widgets based on external JavaScript libraries. The service injects <script> tag into the DOM and waits for resource to be loaded. Do we need to use the same nonce value for these scripts tags too? Anything else that needs to be set in this case in order to keep the functionality operational?
Comment 4 Ivan Furnadjiev CLA 2022-03-07 04:22:12 EST 
(In reply to comment #3)
> Thank you for the answer. And one last more "complex" question. RAP has a
> ClientFileLoader client srvice, which allows to load JS and CSS files at
> runtime. This is mainly important for custom widgets based on external
> JavaScript libraries. The service injects <script> tag into the DOM and waits
> for resource to be loaded. Do we need to use the same nonce value for these
> scripts tags too? Anything else that needs to be set in this case in order to
> keep the functionality operational?

I answered this question myself - nonce value MUST be applied to these script tags too [1]. Script tags injected by trusted code MUST also be marked with the same nonce value.

[1] https://web.dev/strict-csp/
Comment 5 Ivan Furnadjiev CLA 2022-03-09 06:38:02 EST 
One more finding here. RWT JavaScript client is using "new Function(<string>)" in several places (Property.js, Parent.js, Widget.js), which is blocked by missing 'unsafe-eval'. As a result the app is not loaded. We need to find is it possible to eliminate the call to "new Function()" in these classes.
Comment 6 Eclipse Genie CLA 2022-03-18 05:12:55 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/rap/org.eclipse.rap/+/192051
Comment 7 Ivan Furnadjiev CLA 2022-03-18 05:17:09 EDT 
With the change above "unsafe-eval" is still needed in the "script-src" directive. Eliminating "new Function(<string>)" in JS client will follow.
Comment 9 Ivan Furnadjiev CLA 2022-04-04 03:01:17 EDT 
We are working now to eliminate the "new Function(<string>)"call in JS client. With this change, using "unsafe-eval" will be possible (start application normally), but without support for Browser#evaluate/execute, BrowserFunction and client scripting.
Comment 10 Eclipse Genie CLA 2022-04-04 08:05:50 EDT 
New Gerrit change created: https://git.eclipse.org/r/c/rap/org.eclipse.rap/+/192466
Comment 11 Ivan Furnadjiev CLA 2022-04-04 08:12:57 EDT 
As the change above is a massive change, please test your applications carefully against the Gerrit review build asap.
https://ci.eclipse.org/rap/job/rap-head-runtime-gerrit/2924/
Comment 13 Markus Knauer CLA 2022-05-04 10:04:16 EDT 
Because we switched to GitHub with the RAP version 3.12 that includes the implementation for this issue, and because we'd like to have all release relevant tickets in one place, I am copying the basic details to GitHub issues https://github.com/eclipse-rap/org.eclipse.rap/issues/12. Any kind of future enhancement should be discussed there.