Add nonce support to bootstrap scripts and external runtime

[danieltott]

Summary

When using a Content Security Policy with the strict-dynamic source list keyword, all other non-nonce keywords and sources are ignored, specifically 'self'. This means that scripts that are inserted via <script src=... /> into the HTML violate the content security policy.

This fix also supports CSPs that are not using strict-dynamic, but are using nonce-xxx sources

Right now the render functions (renderToReadableStream, renderToPipeableStream etc) via createResponseState add the nonce attribute to inline scripts set in bootstrapScriptContent, but not scripts via bootstrapScripts and bootstrapModules. Also missing the nonce value are external runtime scripts, as well as scripts rendered at runtime that could be rendered on the server.

Adding nonce support to those scripts will allow them to pass a content-security-policy that uses strict-dynamic.

Related issues:

• closes Bug: React 18 renderToPipeableStream missing support for nonce for bootstrapScripts and bootstrapModules #24883
• Discussion and related issue in: Bug: Support nonce for streaming scripts #26026
• Inline scripts generated as a result of appDir preventing use of strict CSP vercel/next.js#43743

Changes:

• Add nonce to bootstrap scripts/modules in ReactFizzConfigDOM -> createResponseState()
• Add nonce property to the return object for createResponseState()
• Pass nonce prop to internalPreinitScript() (external runtime scripts)
• Inject nonce prop in pushStartInstance() where type=='script' if it exists in responseState (removed based on Add nonce support to bootstrap scripts and external runtime #26738 (comment))
• Updated FizzTestUtils.js to re-add nonce attribute after executing inline scripts

How did you test this change?

I added the following tests:

• ReactDOMFizzServer-test - it should render scripts with nonce added
  Test that nonce values are applied correctly in rendered scripts
• ReactDOMFizzServer-test - it should support nonce for bootstrap and runtime scripts
  Update the existing nonce test to test all bootstrap scripts, as well as the runtime script

[react-sizebot]

Comparing: 18282f8...d2d41c4

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.min.js	=	164.04 kB	164.04 kB	=	51.72 kB	51.72 kB
oss-experimental/react-dom/cjs/react-dom.production.min.js	=	170.34 kB	170.34 kB	=	53.63 kB	53.63 kB
facebook-www/ReactDOM-prod.classic.js	=	567.04 kB	567.04 kB	=	100.16 kB	100.16 kB
facebook-www/ReactDOM-prod.modern.js	=	550.78 kB	550.78 kB	=	97.36 kB	97.36 kB

Significant size changes

Includes any change greater than 0.2%:

(No significant changes)

Generated by 🚫 dangerJS against d2d41c4

[gaearon]

Seems like PROD tests fail?

[danieltott]

@gaearon I see that! Looking into it now...

[danieltott]

@gaearon all fixed 👍

[gnoff]

@danieltott what’s the rationale for automatically applying the nonce to all scripts? Also there are hydration implications because attributes are validated in dev. From a. Security angle it seems good that you need to opt your scripts into being nonced then again if you have a supply chain attack taking advantage of this auto nonce then they can also do a lot of other bad things

[gnoff]

Precomputed chunks are generally constructed in module scope. The idiomatic way of doing this is to break these chunks up in a static-dynamic-static sandwich

[danieltott]

@gnoff I updated the code to sandwich style 🥪

I had originally based my code on the pre-existing nonce setup for inline scripts:

react/packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js

Lines 210 to 215 in b1b1940

	const inlineScriptWithNonce =
	nonce === undefined
	? startInlineScript
	: stringToPrecomputedChunk(
	'<script nonce="' + escapeTextForBrowser(nonce) + '">',
	);

If the updated code looks good, should I apply it there as well?

[gnoff]

This is different. We use this repeatedly when we emit our fizz runtime scripts. The idea with precomputed chunks is you can do the text encoding once (if configured for the host runtime) so we only gain a benefit if the value is reused. pulling the chunk creation to module scope is our way of reusing the chunk which is why I suggested the sandwhich style for your original use case. Here we are getting reuse by referencing this precomputed chunk on each instruction flush but we can't make it in module scope because we embed the nonce within it

[danieltott]

OK - if I understand correctly, this is because you return startInlineScript from createResponseState and use it other places. Since we don't have to do that with src/module scripts, it's actually more efficient to construct them the way you suggested, since we can precompile the nonce= chunk once inside the module. 👍

That was a tough one to wrap my head around but I'm pretty sure I have it - thank you for your explanations 🙌

[danieltott]

what’s the rationale for automatically applying the nonce to all scripts?

@gnoff Honestly I might have gotten a little overzealous here. I was concerned with server-rendered script tags since that is the important thing in strict-dynamic scenarios, but I think you're right that users are free to add nonce=... to their own scripts in the body, and react just needs to make sure automatically-created scripts are handled properly. I'll remove those additions here shortly.

[danieltott]

@gnoff Updated 👍

[gnoff]

Nits but looks good

[gnoff]

I would maybe just do this like the integrity attribute

Suggested change

	if (nonce === undefined) {
	bootstrapChunks.push(
	startModuleSrc,
	stringToChunk(escapeTextForBrowser(src)),
	);
	} else {
	bootstrapChunks.push(
	startModuleSrcWithNonce,
	stringToChunk(escapeTextForBrowser(nonce)),
	middleModuleSrcWithNonce,
	stringToChunk(escapeTextForBrowser(src)),
	);
	}
	bootstrapChunks.push(
	startModuleSrc,
	stringToChunk(escapeTextForBrowser(src))
	);
	if (nonce) {
	bootstrapChunks.push(
	scriptNonce,
	stringToChunk(escapeTextForBrowser(nonce)),
	);
	}

[gnoff]

same recc as for modules

[gnoff]

@danieltott I'll merge once you make those last changes. Or I can make them for you if preferred

[danieltott]

@gnoff makes sense! will update here in a minute

[danieltott]

@gnoff this is all set

[gnoff]

@danieltott congrats on landing! Thanks for making the PR

[danieltott]

@gnoff thank you!! And thank you for your time helping me work through it a bit 🙌

Any idea on release scheduling? Not sure how that sort of thing works with the React codebase/package

[gnoff]

Any idea on release scheduling? Not sure how that sort of thing works with the React codebase/package

It's been a while since we've done a release and we're due for one soon. You'll be able to test our the changes in the next and experimental channels that get published every night and unless this gets reverted it will be included in the next stable however I cannot say when that will be

[danieltott]

@gnoff awesome - thanks again!

[gaearon]

@danieltott

Re: releases, see https://react.dev/blog/2023/05/03/react-canaries