com.google.template.soy.parsepasses.contextautoesc

Class ContentSecurityPolicyPass

java.lang.Object

com.google.template.soy.parsepasses.contextautoesc.ContentSecurityPolicyPass

public final class ContentSecurityPolicyPass
extends Object

Inserts attributes into templates to bless inline <script> and <style> elements and inline event handler and style attributes so that the browser can distinguish scripts specified by the template author from ones injected via XSS. This class converts templates by adding nonce="..." to <script> and <style> elements, so

<script>...</script>

becomes

<script{if $ij.csp_nonce} nonce="{$ij.csp_nonce}"{/if}>...</script>

which authorize scripts in HTML pages that are governed by the Content Security Policy.

This class assumes that the value of $ij.csp_nonce will either be null or a valid CSP-style "nonce", an unguessable string consisting of Latin Alpha-numeric characters, plus ('+'), and solidus ('/').

nonce-value = 1*( ALPHA / DIGIT / "+" / "/" )

Dependencies

If inline event handlers or styles are used, then the page should also load security.CspVerifier which verifies event handler values.

Caveats

This class does not add any <meta http-equiv="content-security-policy" ...> elements to the template. The application developer must specify the CSP policy headers and include the nonce there.

Nonces should be of sufficient length, and from a crypto-strong source of randomness. The stock java.util.Random is not strong enough, though a properly seeded SecureRandom is ok.

Field Summary

Fields

Modifier and Type	Field and Description
static String	CSP_NONCE_VARIABLE_NAME The unprefixed name of the injected variable that holds the CSP nonce value for the page.

Method Summary

Modifier and Type	Method and Description
static void	blessAuthorSpecifiedScripts(Iterable<? extends SlicedRawTextNode> slicedRawTextNodes) Add attributes to author-specified scripts and styles so that they will continue to run even though the browser's CSP policy blocks injected scripts and styles.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CSP_NONCE_VARIABLE_NAME

public static final String CSP_NONCE_VARIABLE_NAME

The unprefixed name of the injected variable that holds the CSP nonce value for the page.

See Also:

Constant Field Values

Method Detail

blessAuthorSpecifiedScripts

public static void blessAuthorSpecifiedScripts(Iterable<? extends SlicedRawTextNode> slicedRawTextNodes)

Add attributes to author-specified scripts and styles so that they will continue to run even though the browser's CSP policy blocks injected scripts and styles.