Content security policy and nonces
-
Hi,
I’m wondering how to make CSP’s nonces work with W3TC.
I’m using an external implementation of CSP (not the W3TC). I’m progressively switching to a more secure way to implement CSP and get rid of unsecure stuff. That implies using nonces generated for every page load, which WT3TC doesn’t seem to support.
Is there any way to implement CSP policy with nonces?
Thanks!
The page I need help with: [log in to see the link]
-
Hello @psykonevro
Thank you for your inquiry and I am happy to assist you with this.
Ah yes, nonce lifespan. What you can try is to disable the Set expires header for HTML&xml in Performance>Browser Cache and see if the issue persists.
Alternatively, you can try using the Cache Preload in Performance>Page Cache>Cache Preload. With this, you can choose the number of seconds to wait before creating another set of cached pages.
Thanks!Hi @vmarko,
Thanks for your quick reply.
Unfortunately, none of the two solution work, the nonce remains the same upom page refresh.
A newbie question: would it be possible to regex the nonce and let them refresh? That’s the method a use in a cache system I implemented that is a waaaaay less complex than w3tc.
Hello @psykonevro
Thank you for the information.
Can you please share an example so I can check this?
Thanks!Of course. My approach is to use a regex to remove and replace the nonces every time the page is refreshed. The function is called upo.
function sideline_cache ($content){ global $nonce; // CSP: replace all nonces, so dynamically regenerated $content = preg_replace ("~nonce=('|\").{28}('|\")~", "nonce='".$nonce."'", $content); return $content; }This basic function is then called in a function to display the cache:
function cache_display(){ $file = cache_file(); $file = gzdecode(file_get_contents($file)); $file = sideline_cache ($file); echo $file; exit; }Hello @psykonevro
Thank you for the information.
By default, the lifespan is 86400 seconds, or 24 hours (and can be adjusted with the nonce_life filter). Half this, 12 hours, is 43200.
if cached pages live longer than the nonce lifetime, then they may become invalid.
Nonces are used for non-logged-in users on the front-end — forms, etc.
If you are referring to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src ‘nonce-<base64-value>’, then that is in the headers and separate from WordPress nonces.The server must generate a unique nonce value each time it transmits a policy.
Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384, and sha512.
Such as:
Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='It authorizes inline scripts, identified by a hash. Chrome web console can tell you the hash if one is blocked.
I hope this helps!Hi @vmarko
CSP nonces are supposed to be generated for each page load.
Thus, a 24h (or any delay) makes CSP protection useless.
In addition, nonces are not displayed is in the header only. They are supposed to be displayed in any style or script of the webpage, matching the nonce of the header.
Because if the cache, the header and html nonces don’t match.
Let me know if you need further clarification.
Hello @psykonevro
I see, thank you for the information.
This is a very strange setup.
Let me get back to you on this.
Thanks!Hello @psykonevro
CSP nonces are not meant for caching. You need some middleware to update the headers and change the content before it is delivered. The plugin and other caches are not going to handle that. For example, CDNs and Nginx caches are not going to be dynamic.
Although, you can check this https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/So what you are trying cannot be done with W3 Total Cache active, so you may want to try only using Cloudflare.
THanks!Hi @vmarko
I don’t use any middleware. Headers are good, their nounces are refreshed.
My issue is with the body’s nounces, cached by w3tc. Would it be possible to implement sort of refreshing when the pages are displayed?
CSP is a security protocol progressively implemented in many websites. WordPress is generaly going that way. You’ll face similar questions soon!
The latest wordpress 5.7 release implements CSP script attributes:
Introducing script attributes related functions in WordPress 5.7
Hello @psykonevro
I understand this and W3 Total Cache will be compatible and it also has its own CSP feature.
The problem is that is not working with your use case and Page Caching.
Thanks!Dear @vmarko,
I’m not sure to understand. What specific settings do I use that prevents csp works with w3c? In other words, what settings do you expect to be working with CSP?
Nonces are core feature of CSP, implemented for 4 years… is that what you’re referring to?
The topic ‘Content security policy and nonces’ is closed to new replies.