CSP docs are a little unclear - can I help improve them?

[johnnyreilly]

First of all, thank you for Material UI - I love it; it's super cool!

I've been looking into how to support CSP with Material UI; specifically using a style-src. I've been reading the docs here: https://material-ui.com/styles/advanced/#content-security-policy-csp

They start off great but I must confess to getting a little lost by the end. Having spent a bunch of time googling and seeing others who also seem to be a little confused.

See:

• this stack overflow question: https://stackoverflow.com/questions/49125561/how-can-i-set-a-nonce-in-material-ui-for-the-content-security-policy
• this hacker news discussion for instance: https://news.ycombinator.com/item?id=19069255
• github issue: Using this plugin with webpack, material-ui withStyles slackhq/csp-html-webpack-plugin#38
• Hash-based CSP support cssinjs/jss#814

I thought I'd see if I could start a discussion with the desire of discovering the answer and hopefully using that to subsequently improving the docs 🤗

The part where the docs start to get a little mysterious is here:

Then, you must pass this nonce to JSS so it can add it to subsequent <style> tags. The client-side gets the nonce from a header. You must include this header regardless of whether or not SSR is used.

<meta property="csp-nonce" content={nonce} />

This is not particularly clear to me; the "you must pass this nonce to JSS". How exactly does this happen? Is the idea that our page.html should include this meta property in the head? Like this:

<head>
<meta property="csp-nonce" content="123354-i-am-a-nonce" />
</head>

And that JSS looks for a csp-nonce meta property by default?

i.e. There's no need to write a line of code that says "hey JSS, this is the nonce you need", rather that JSS will by convention look for the csp-nonce meta property in your html>head when it boots and use the value as a nonce if it is found.

Or am I totally barking up the wrong tree? Totally possible!

It's worth saying that the JSS docs are similarly somewhat ambiguous: https://cssinjs.org/csp/?v=v10.0.0

Finally I'm wondering whether it's worth mentioning approaches around hashing in the docs:

https://github.com/slackhq/csp-html-webpack-plugin

I don't know enough around this topic to say though.

[oliviertassinari]

@johnnyreilly Thank you for raising this concern. Security is too often overlooked. To be honest, the last time I have faced this problem, I ended up using the following:

import helmet from 'helmet'

// ...

const app = express()

app.use(
  helmet({
    // TODO Should we restrict the policy ?
    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ['*', 'blob:'], // Blob for upload support
        styleSrc: ['*', "'unsafe-inline'"],
        scriptSrc: ['*', "'unsafe-inline'", "'unsafe-eval'"],
        frameAncestors: ["'none'"],
        reportUri: config.get('sentry.reportCSP'),
      },
      // Don't support old version and help with CDN
      browserSniff: false,
      disableAndroid: true,
    },
    frameguard: {
      action: 'deny', // Disallow embedded iframe
    },
  })
)

And that JSS looks for a csp-nonce meta property by default?

Yes, you are right, it's the message we have tried to communicate. Do you think that we could improve the wording?

I have seen a related issue in styled-components/styled-components#2363. It doesn't seem to be a concern a lot of people handle/try to handle.
As far as I understand the concern, the only way to make this policy effective is to have a random dynamic nonce value. It needs to change frequently.

Regarding our documentation, we don't do anything about it: https://securityheaders.com/?q=https%3A%2F%2Fmaterial-ui.com%2F&followRedirects=on.

[johnnyreilly]

Yes, you are right, it's the message we have tried to communicate. Do you think that we could improve the wording?

Awesome - that's good. Yes I think the wording could be made more explicit that that's the case. For instance, as I read the original I was wondering if:

1. JSS was going to read the nonce from a response header or a meta tag in the head of the HTML. It turns out it's the latter but I wasn't sure.
2. It wasn't clear to me that JSS was looking for this particular header; that it was a default behaviour of JSS.
3. That the example read <meta property="csp-nonce" content={nonce} /> rather than an example of what a meta tag might look like confused me a little. I'm a simple man 😄

Perhaps the wording could be expanded to something like:

---

Then, you must pass this nonce to JSS so it can add it to subsequent <style> tags.

The way that you do that is by passing a <meta property="csp-nonce" content={nonce} /> tag in the <head> of your HTML. JSS then will, by convention, look for a <meta property="csp-nonce" tag and use the content value as the nonce.

You must include this header regardless of whether or not SSR is used.

<head>
<!-- ... -->
<meta property="csp-nonce" content="this-is-a-nonce-123" />
<!-- ... -->
</head>

---

What do you think?

[oliviertassinari]

I think that the proposal will help 👍. Do you want to open à pull request? :)

[johnnyreilly]

Yeah I'll try to. Crazy busy right now though - ping me if I forget

[jessewoo]

hi @johnnyreilly - I'm developing with a standard stack with Create React App (CRA) with Material UI (MUI) running with CSP that the security team wanted to put in place, but it's failing with 'style-src' with inline css because MUI has components with inline styling. Wondering if that's something that you ran into. I've been looking around for solution but I too am feeling lost.

[oliviertassinari]

There is still an open discussion about it in #19938.