Incompatible with a content-security-policy which does not allow script-src: unsafe-inline

[ragnarkarlsson]

Whilst trying to tighten up my CSP I've noticed that the plugin generates an inline script which is unique on each page load to define u2fL10n. Without running script-src: unsafe-inline this means it is impossible to provide a hash, and the inclusion of https://core.trac.wordpress.org/ticket/39941 script nonce's has potential problems. Can this js not be created on the fly and included rather than inlined?

[kasparsd]

Thanks for opening the issue @ragnarkarlsson!

The plugin uses core wp_localize_script() to include some of the dynamic variables necessary for the U2F to work:

https://github.com/georgestephanis/two-factor/blob/c220afbc9464f07abef6dd961da7d09857544272/providers/class.two-factor-fido-u2f-admin.php#L83-L102

Since all of this is dynamic for each user we can't make it static or move to a file. Looks like fixing this for core with the added nonce attribute to <script> would also solve it here. Do you have other suggestions on how to approach this?

[ragnarkarlsson]

Hmm, I'm afraid my development days are a little behind me and I'm now in security so I may not be much help!

Would it be possible to ajax the u2fL10n var? https://developer.wordpress.org/reference/functions/wp_localize_script/#comment-1391 that way it'd be possible a single hash required in the CSP, instead of unsafe-inline ... I think?

unsafe-inline presents various XSS possibilities, hence why I'd like to eliminate it. I don't like the idea of dropping U2F in favour of a tighter CSP.

I've made comment regarding the nonce value on the trac, it could easily be overwritten (I tested this last night) if a security plugin then defines a new CSP after core outputs a very slimline CSP, so not convinced atm it'll solve this issue.

[kkmuffme]

Atm Wordpress is not compatible with CSP that has unsafe-inline disabled.

The wp localize script does not yet support the nonce(s) required for CSP with unsafe-inline disabled, so there isn't anything that can be done to fix this when Wordpress compatibility should be kept (the only thing would be a custom localize script, but then again this is against WP core policies for scripts to be completely dequeueable using standard measures)

Furthermore WP uses so many inline scripts, you will not only have a problem here, but in like 100 other places of WP too. So I think it's not worth it to fix that now, but rather to promote WP core to implement CSP nonce in their wp_localize_script function.

[iandunn]

U2F is deprecated and no longer works in Chrome, so the provider is being removed in #439 . Given that, there's probably no reason to keep this open anymore.