Turbo executes scripts that violate CSP if csp-nonce meta tag is present #1476
Description
Context
If a Page has Content Security Policy (CSP) with a nonce value for scripts only script with the nonce should be executed. This means that if there is a XSS vulnerability in a page, the XSS scripts will not run.
Some script loaders will add a nonce value to scripts so that they can run if there is a <meta name="csp-nonce">. This is ok for loading a known list of safe scripts, but circumvents the purpose of a CSP if doing this for any script in some HTML.
Problem
If a page has a <meta name="csp-nonce"> tag turbo will apply that nonce to all scripts. This means that scripts that would be blocked on a browser page load will execute if that page is loaded with turbo. This means that pages are no longer protected from XSS by the CSP.
Expected Behaviour
When a CSP has a nonce value for scripts and a page has a csp-nonce meta tag, scripts should only be executed if they have a valid nonce.
Posible Solution
Update src/utils.js:activateScriptElement to preserve the original scripts nonce.
export function activateScriptElement(element) {
if (element.getAttribute("data-turbo-eval") == "false") {
return element
} else {
const createdScriptElement = document.createElement("script")
createdScriptElement.textContent = element.textContent
createdScriptElement.async = false
copyElementAttributes(createdScriptElement, element)
if (element.nonce) {
createdScriptElement.setAttribute('nonce', element.nonce)
}
return createdScriptElement
}
}