英文:
Can a nonce be used for multiple scripts or not?
问题
背景
大约一年前,我们公司在所有数字工具上实施了内容安全策略(CSP)。每个数字工具都是一个express.js + react应用程序。我们为webpack生成的每个块(应用程序和供应商)生成了两个仅使用一次的数字(nonce)。我们之所以这样做,是因为以下指南说“每个HTTP请求必须使用不同的nonce。”(<https://content-security-policy.com/nonce/>)。
我们认为这是明确的规则,直到我们开始在一些最近的项目中使用Next.JS。Next.JS只能使用一个nonce来生成每个脚本/块。您在中间件中创建一个nonce,然后将其传递给<NextScripts />
在_document文件中。这使我们对情况的理解变得模糊,尤其是乍一看,似乎没有人对此实施有问题。Next.js也成为了行业的首选。我们对单个nonce感到不满意,但我们将其放在一边并接受了它。
快进到最近几周,我们开始进一步拆分我们的express应用程序,并决定每个块都应该有一个nonce,这与Next.JS相冲突。这使我考虑是否应该放弃我们的Next.JS应用程序,回到我们早期的堆栈,因为CSP对我们来说非常重要。
问题
我的问题实际上是为了澄清情况而提出的:
- 一个nonce是否可以多次使用,只要它在服务器/中间件上动态生成,然后传递给脚本?
- 在Next.JS中无法传递多个nonce是一种设计选择,最终使其不符合CSP标准(因此不应该被任何试图实施正确CSP的人使用)吗?
- 在分组时,每个组内的块是否应该有一个nonce,还是该组应共享一个nonce?
英文:
Background
A year or so ago, my company implemented CSP across all of our digital tools. Every digital tool was an express.js + react application. We generate two nonces (number only used once), one for each chunk generated by webpack (app & vendor). We did this because of the following guide saying "Each HTTP request must use a separate nonce." (<https://content-security-policy.com/nonce/>).
We believed that was the definitive rule until we began to use Next.JS for some of our more recent projects. Next.JS uses (and can only use) a singular nonce for every script/chunk it generates. You create a nonce in middleware, then pass it to <NextScripts />
in the _document file. This has muddied the waters of our understanding, especially as it seems at a glance, no one has a problem with this implementation. Next.js is becoming an industry go to as well. We were not comfortable with the single nonce, but we put it to one side and accepted it.
Fast forward to the last few weeks, we begun code splitting our express apps further and we have decided that each chunk SHOULD have a nonce, which then flies against Next.JS. Its making me consider whether we should scrap our Next.JS apps and go back to our earlier stack as CSP is incredibly important to us.
Questions
My questions really are thus and are being asked for clarity on the situation:
- Can a nonce be used more than once, as long as its dynamically generated on the server/middleware before being passed to the scripts?
- Is the inability to pass multiple nonces in Next.JS a design choice that ultimately makes it not CSP compliant (And thus should not be used by anyone trying to implement correct CSP)?
- When chunking into groups, should each chunk within a group have a nonce OR should the group share a nonce?
答案1
得分: 2
> 能否重复使用一次性令牌,只要在传递给脚本之前在服务器/中间件上动态生成?
是的,在单个页面实例内多次使用相同的一次性令牌是可以的。关于“每个HTTP [响应]必须使用单独的一次性令牌”的正确建议是指包含nonce
属性的响应文档,而不是对子资源的请求。
> Next.JS无法传递多个一次性令牌是一种设计选择,最终使其不符合CSP标准吗(因此不应该被任何试图实施正确CSP的人使用)?
不是的,请参考第1点。
> 在分组时,每个组内的每个块是否应该具有一次性令牌,还是组应该共享一个一次性令牌?
从技术上讲,为每个组使用不同的一次性令牌并不是错误的,但这是不划算的。所有这些一次性令牌都会占用标头空间,它们必须足够长,以避免被随机猜测(允许多个有效的一次性令牌会使这个问题稍微加重)。
英文:
> Can a nonce be used more than once, as long as its dynamically generated on the server/middleware before being passed to the scripts?
Yes, it’s fine to use the same nonce more than once within a single instance of a page. Correct advice along the lines of “each HTTP [response] must use a separate nonce” refers to the response document containing the nonce
attributes, not the requests for subresources.
> Is the inability to pass multiple nonces in Next.JS a design choice that ultimately makes it not CSP compliant (And thus should not be used by anyone trying to implement correct CSP)?
No, see point 1.
> When chunking into groups, should each chunk within a group have a nonce OR should the group share a nonce?
It’s not incorrect per se to use a different nonce for each group, but it’s wasteful. All those nonces take up space in the header, and they have to be long enough to avoid being randomly guessed (which is a problem made slightly worse by allowing multiple valid nonces).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论