generate nonce per request; config is a string (again); added playwright test to verify subsequent requests return a different nonce.

Author: guspower

src/app_config.rs

@@ -1,4 +1,4 @@
-use crate::webserver::content_security_policy::ContentSecurityPolicy;
+use crate::webserver::content_security_policy::DEFAULT_CONTENT_SECURITY_POLICY;
 use crate::webserver::routing::RoutingConfig;
 use anyhow::Context;
 use clap::Parser;
@@ -247,7 +247,7 @@ pub struct AppConfig {
     /// Content-Security-Policy header to send to the client.
     /// If not set, a default policy allowing scripts from the same origin is used and from jsdelivr.net
     #[serde(default = "default_content_security_policy")]
-    pub content_security_policy: ContentSecurityPolicy,
+    pub content_security_policy: String,
 
     /// Whether `sqlpage.fetch` should load trusted certificates from the operating system's certificate store
     /// By default, it loads Mozilla's root certificates that are embedded in the `SQLPage` binary, or the ones pointed to by the
@@ -513,8 +513,8 @@ fn default_compress_responses() -> bool {
     true
 }
 
-fn default_content_security_policy() -> ContentSecurityPolicy {
-    ContentSecurityPolicy::default()
+fn default_content_security_policy() -> String {
+    String::from(DEFAULT_CONTENT_SECURITY_POLICY)
 }
 
 fn default_system_root_ca_certificates() -> bool {

src/render.rs

@@ -92,6 +92,9 @@ impl HeaderContext {
     ) -> Self {
         let mut response = HttpResponseBuilder::new(StatusCode::OK);
         response.content_type("text/html; charset=utf-8");
+        request_context
+            .content_security_policy
+            .apply_to_response(&mut response);
         Self {
             app_state,
             request_context,

src/webserver/content_security_policy.rs

@@ -1,59 +1,51 @@
 use actix_web::http::header::{
     HeaderName, HeaderValue, TryIntoHeaderPair, CONTENT_SECURITY_POLICY,
 };
+use actix_web::HttpResponseBuilder;
 use awc::http::header::InvalidHeaderValue;
 use rand::random;
-use serde::Deserialize;
 use std::fmt::{Display, Formatter};
 
-#[derive(Debug, Deserialize, Clone, PartialEq)]
-#[serde(from = "String")]
+pub const DEFAULT_CONTENT_SECURITY_POLICY: &str = "script-src 'self' 'nonce-{NONCE}'";
+
+#[derive(Debug, Clone)]
 pub struct ContentSecurityPolicy {
     pub nonce: u64,
-    value: String,
+    policy: String,
 }
 
 impl ContentSecurityPolicy {
-    #[must_use]
-    pub fn is_enabled(&self) -> bool {
-        !self.value.is_empty()
-    }
-
-    fn new<S: Into<String>>(value: S) -> Self {
+    pub fn new<S: Into<String>>(policy: S) -> Self {
         Self {
             nonce: random(),
-            value: value.into(),
+            policy: policy.into(),
         }
     }
 
+    pub fn apply_to_response(&self, response: &mut HttpResponseBuilder) {
+        if self.is_enabled() {
+            response.insert_header(self);
+        }
+    }
+
+    fn is_enabled(&self) -> bool {
+        !self.policy.is_empty()
+    }
+
     #[allow(dead_code)]
     fn set_nonce(&mut self, nonce: u64) {
         self.nonce = nonce;
     }
 }
 
-impl Default for ContentSecurityPolicy {
-    fn default() -> Self {
-        Self::new("script-src 'self' 'nonce-{NONCE}'")
-    }
-}
-
 impl Display for ContentSecurityPolicy {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
-        let value = self
-            .value
-            .replace("{NONCE}", self.nonce.to_string().as_str());
+        let value = self.policy.replace("{NONCE}", &self.nonce.to_string());
 
         write!(f, "{value}")
     }
 }
 
-impl From<String> for ContentSecurityPolicy {
-    fn from(input: String) -> Self {
-        ContentSecurityPolicy::new(input)
-    }
-}
-
 impl TryIntoHeaderPair for &ContentSecurityPolicy {
     type Error = InvalidHeaderValue;
 
@@ -70,38 +62,40 @@ mod tests {
     use super::*;
 
     #[test]
-    fn default_csp_contains_random_nonce() {
-        let mut csp = ContentSecurityPolicy::default();
+    fn default_csp_response_contains_random_nonce() {
+        let mut csp = ContentSecurityPolicy::new(DEFAULT_CONTENT_SECURITY_POLICY);
         csp.set_nonce(0);
 
-        assert_eq!(csp.to_string().as_str(), "script-src 'self' 'nonce-0'");
         assert!(csp.is_enabled());
+        assert_eq!(&csp.to_string(), "script-src 'self' 'nonce-0'");
     }
 
     #[test]
-    fn custom_csp_without_nonce() {
-        let csp: ContentSecurityPolicy = String::from("object-src 'none';").into();
-        assert_eq!("object-src 'none';", csp.to_string().as_str());
+    fn custom_csp_response_without_nonce() {
+        let csp = ContentSecurityPolicy::new("object-src 'none';");
+
         assert!(csp.is_enabled());
+        assert_eq!("object-src 'none';", &csp.to_string());
     }
 
     #[test]
-    fn blank_csp() {
-        let csp: ContentSecurityPolicy = String::from("").into();
-        assert_eq!("", csp.to_string().as_str());
+    fn blank_csp_response() {
+        let csp = ContentSecurityPolicy::new("");
+
         assert!(!csp.is_enabled());
+        assert_eq!("", &csp.to_string());
     }
 
     #[test]
     fn custom_csp_with_nonce() {
-        let mut csp: ContentSecurityPolicy =
-            String::from("script-src 'self' 'nonce-{NONCE}'; object-src 'none';").into();
+        let mut csp =
+            ContentSecurityPolicy::new("script-src 'self' 'nonce-{NONCE}'; object-src 'none';");
         csp.set_nonce(0);
 
+        assert!(csp.is_enabled());
         assert_eq!(
             "script-src 'self' 'nonce-0'; object-src 'none';",
             csp.to_string().as_str()
         );
-        assert!(csp.is_enabled());
     }
 }

src/webserver/http.rs

@@ -175,7 +175,9 @@ async fn render_sql(
     actix_web::rt::spawn(async move {
         let request_context = RequestContext {
             is_embedded: req_param.get_variables.contains_key("_sqlpage_embed"),
-            content_security_policy: app_state.config.content_security_policy.clone(),
+            content_security_policy: ContentSecurityPolicy::new(
+                &app_state.config.content_security_policy,
+            ),
         };
         let mut conn = None;
         let database_entries_stream =
@@ -467,7 +469,7 @@ pub fn create_app(
         // when receiving a request outside of the prefix, redirect to the prefix
         .default_service(fn_service(default_prefix_redirect))
         .wrap(Logger::default())
-        .wrap(default_headers(&app_state))
+        .wrap(default_headers())
         .wrap(middleware::Condition::new(
             app_state.config.compress_responses,
             middleware::Compress::default(),
@@ -504,14 +506,9 @@ pub fn payload_config(app_state: &web::Data<AppState>) -> PayloadConfig {
     PayloadConfig::default().limit(app_state.config.max_uploaded_file_size * 2)
 }
 
-fn default_headers(app_state: &web::Data<AppState>) -> middleware::DefaultHeaders {
+fn default_headers() -> middleware::DefaultHeaders {
     let server_header = format!("{} v{}", env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION"));
-    let mut headers = middleware::DefaultHeaders::new().add(("Server", server_header));
-    let csp = &app_state.config.content_security_policy;
-    if csp.is_enabled() {
-        headers = headers.add(csp);
-    }
-    headers
+    middleware::DefaultHeaders::new().add(("Server", server_header))
 }
 
 pub async fn run_server(config: &AppConfig, state: AppState) -> anyhow::Result<()> {

tests/end-to-end/official-site.spec.ts

@@ -158,6 +158,13 @@ test("no console errors on card page", async ({ page }) => {
   await checkNoConsoleErrors(page, "card");
 });
 
+test("CSP issues unique nonces per request", async ({page}) => {
+  let csp1 = await (await page.goto(BASE)).headerValue("content-security-policy");
+  let csp2 = await (await page.reload()).headerValue("content-security-policy");
+
+  expect(csp1, `check if ${csp1} != ${csp2}`).not.toEqual(csp2);
+});
+
 test("form component documentation", async ({ page }) => {
   await page.goto(`${BASE}/component.sql?component=form`);