Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Promotion of unsafe code #613

Closed
2 of 4 tasks
xi opened this issue Oct 16, 2023 · 1 comment · Fixed by #615
Closed
2 of 4 tasks

Promotion of unsafe code #613

xi opened this issue Oct 16, 2023 · 1 comment · Fixed by #615

Comments

@xi
Copy link
Contributor

xi commented Oct 16, 2023

Documentation Is:

  • Missing
  • Needed
  • Confusing
  • Not Sure?

Please Explain in Detail...

Content Security Polcies (CSPs) make the web a safer place. Authors can use unsafe policies, but those are clearly labelled so authors do not use them by accident. One such unsafe policy is unsafe-inline.

This loader heavily promotes unsafe-inline code: All available options for injectType except for linkTag are unsafe, including the default value (styleTag). This makes it a barrier for the adoption of tighter CSPs. As this loader is used on a lot of websites, this has a huge impact on the security of the web in general.

As discussed in #306 and #487, CSPs allow to use nonces for inline code. However, these are not a proper solution. The spec is quite clear about the many drawbacks of nonces:

Using a nonce to allow inline script or style is less secure than not using a nonce, as nonces override the restrictions in the directive in which they are present. An attacker who can gain access to the nonce can execute whatever script they like, whenever they like. That said, nonces provide a substantial improvement over 'unsafe-inline' when layering a content security policy on top of old code. When considering 'unsafe-inline', authors are encouraged to consider nonces (or hashes) instead.

Your Proposal for Changes

  • Change the default inject type to linkTag
  • Clearly explain the security issues of all other inject types
  • Clearly explain the security issues of nonces
@alexander-akait
Copy link
Member

We can improve out documentation, our official recommendation is use https://github.com/webpack-contrib/style-loader#recommend and use style-loader only for development purposes for perf reasons, anyway in some cases developers want to inline CSS due to some internal reasons and we can't forbid it to them, when you should trust your code when you inline it

xi added a commit to xi/style-loader that referenced this issue Dec 6, 2023
@xi
Add security warning
369c30a 
Fixes webpack-contrib#613
xi added a commit to xi/style-loader that referenced this issue Dec 6, 2023
@xi
Add security warning
5dd651c 
Fixes webpack-contrib#613
@xi xi mentioned this issue Dec 6, 2023
Merged
6 tasks
xi added a commit to xi/style-loader that referenced this issue Dec 6, 2023
@xi
Add security warning
59fdd9d 
Fixes webpack-contrib#613
xi added a commit to xi/style-loader that referenced this issue Dec 8, 2023
@xi
docs: add security warning
61c8d7d 
Fixes webpack-contrib#613
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(security): Add warning xi/style-loader
2 participants
@xi @alexander-akait