Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

CSP – Host whitelists can frequently be bypassed. Usage of nonce or hash: strict-dynamic

by |Published

As per https://csp-evaluator.withgoogle.com/ whitelisted hosts can frequently be bypassed, i.e. google and adobe. Is there any way to use strict-dynamic (either with hash or nonce) for script-src policy applicable to vendor modules?
I have also an issue with Chrome (Safari and Firefox don’t report errors) when CSP is in strict mode with following policy:

    <policy id="script-src">
        <values>
            <value id="google-analytics" type="host">*.google-analytics.com</value>
            <value id="google" type="host">*.google.com</value>
            <value id="gstatic" type="host">*.gstatic.com</value>
            <value id="fontawesome" type="host">*.fontawesome.com</value>
            <value id="smartsuppcdn" type="host">*.smartsuppcdn.com</value>
            <value id="smartsuppchat" type="host">*.smartsuppchat.com</value>
            <value id="int-script" type="host">'self'</value>
        </values>
    </policy>

Reported error:

require.min.js:120 GET
https://domain.com/static/version1656022577/frontend/child/luxury/en_GB/domReady.min.js
net::ERR_ABORTED 404 req.load @ require.min.js:120 load @
require.min.js:112 load @ require.min.js:55 fetch @ require.min.js:55
check @ require.min.js:56 enable @ require.min.js:73 enable @
require.min.js:101 callPlugin @ require.min.js:71 fetch @
require.min.js:55 check @ require.min.js:56 enable @ require.min.js:73
enable @ require.min.js:101 (anonymous) @ require.min.js:73
(anonymous) @ require.min.js:11 each @ require.min.js:3 enable @
require.min.js:71 init @ require.min.js:54 (anonymous) @
require.min.js:97 setTimeout (async) req.nextTick @ require.min.js:117
localRequire @ require.min.js:97 requirejs @ require.min.js:117
(anonymous) @ VM8408:1 (anonymous) @ (index):1049 (anonymous) @
(index):1050 require.min.js:16 Uncaught Error: Script error for:
domReady http://requirejs.org/docs/errors.html#scripterror
at makeError (require.min.js:16:53)
at HTMLScriptElement.onScriptError (require.min.js:112:456)

In general, Csp causes (in Chrome only) 404 error for js resource by changing correct path for domReady.min.js
/static/version1656022577/frontend/child/luxury/en_GB/requirejs/domReady.min.js
to invalid one:
/static/version1656022577/frontend/child/luxury/en_GB/domReady.min.js
How to fix it?

You may also like