fix

Author: wxiaoguang

modules/markup/external/openapi.go

@@ -72,7 +72,7 @@ func (p *openAPIRenderer) Render(ctx *markup.RenderContext, input io.Reader, out
 </head>
 <body>
 	<div id="swagger-ui"><textarea class="swagger-spec-content" data-spec-filename="%s">%s</textarea></div>
-	<script type="module" src="%s"></script>
+	<script nonce="not-needed" type="module" src="%s"></script>
 </body>
 </html>`,
 		public.AssetURI("css/swagger.css"),

modules/markup/render.go

@@ -248,7 +248,7 @@ func RenderWithRenderer(ctx *RenderContext, renderer Renderer, input io.Reader,
 		extraLinkHref := ctx.RenderOptions.StandalonePageOptions.CurrentWebTheme.PublicAssetURI()
 		// "<script>" must go before "<link>", to make Golang's http.DetectContentType() can still recognize the content as "text/html"
 		// DO NOT use "type=module", the script must run as early as possible, to set up the environment in the iframe
-		extraHeadHTML = htmlutil.HTMLFormat(`<script crossorigin src="%s"></script><link rel="stylesheet" href="%s">`, extraScriptSrc, extraLinkHref)
+		extraHeadHTML = htmlutil.HTMLFormat(`<script nonce="not-needed" crossorigin src="%s"></script><link rel="stylesheet" href="%s">`, extraScriptSrc, extraLinkHref)
 	}
 
 	ctx.usedByRender = true

modules/templates/helper.go

@@ -6,12 +6,10 @@ package templates
 
 import (
 	"fmt"
-	"html"
 	"html/template"
 	"net/url"
 	"strconv"
 	"strings"
-	"sync"
 	"time"
 
 	"code.gitea.io/gitea/modules/base"
@@ -69,8 +67,7 @@ func newFuncMapWebPage() template.FuncMap {
 			return strconv.FormatInt(time.Since(startTime).Nanoseconds()/1e6, 10) + "ms"
 		},
 
-		"AssetURI":     public.AssetURI,
-		"ScriptImport": scriptImport,
+		"AssetURI": public.AssetURI,
 
 		// -----------------------------------------------------------------
 		// setting
@@ -290,30 +287,3 @@ func QueryBuild(a ...any) template.URL {
 	}
 	return template.URL(s)
 }
-
-var globalVars = sync.OnceValue(func() (ret struct {
-	scriptImportRemainingPart string
-},
-) {
-	// add onerror handler to alert users when the script fails to load:
-	// * for end users: there were many users reporting that "UI doesn't work", actually they made mistakes in their config
-	// * for developers: help them to remember to run "make watch-frontend" to build frontend assets
-	// the message will be directly put in the onerror JS code's string
-	onScriptErrorPrompt := `Please make sure the asset files can be accessed.`
-	if !setting.IsProd {
-		onScriptErrorPrompt += `\n\nFor development, run: make watch-frontend.`
-	}
-	onScriptErrorJS := fmt.Sprintf(`alert('Failed to load asset file from ' + this.src + '. %s')`, onScriptErrorPrompt)
-	ret.scriptImportRemainingPart = `onerror="` + html.EscapeString(onScriptErrorJS) + `"></script>`
-	return ret
-})
-
-func scriptImport(path string, typ ...string) template.HTML {
-	if len(typ) > 0 {
-		if typ[0] == "module" {
-			return template.HTML(`<script type="module" src="` + html.EscapeString(public.AssetURI(path)) + `" ` + globalVars().scriptImportRemainingPart)
-		}
-		panic("unsupported script type: " + typ[0])
-	}
-	return template.HTML(`<script src="` + html.EscapeString(public.AssetURI(path)) + `" ` + globalVars().scriptImportRemainingPart)
-}

modules/util/util.go

@@ -6,11 +6,14 @@ package util
 import (
 	"bytes"
 	"crypto/rand"
+	"encoding/hex"
 	"fmt"
 	"math/big"
+	rand2 "math/rand/v2"
 	"slices"
 	"strconv"
 	"strings"
+	"sync"
 
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
@@ -85,10 +88,32 @@ func CryptoRandomString(length int64) (string, error) {
 // CryptoRandomBytes generates `length` crypto bytes
 // This differs from CryptoRandomString, as each byte in CryptoRandomString is generated by [0,61] range
 // This function generates totally random bytes, each byte is generated by [0,255] range
+// TODO: it never fails, remove the "error" in the future
 func CryptoRandomBytes(length int64) ([]byte, error) {
 	buf := make([]byte, length)
-	_, err := rand.Read(buf)
-	return buf, err
+	if _, err := rand.Read(buf); err != nil {
+		panic(err) // this should never happen, "rand.Read" never fails
+	}
+	return buf, nil
+}
+
+var chaCha8Rand = sync.OnceValue(func() *rand2.ChaCha8 {
+	var buf [32]byte
+	_, _ = rand.Read(buf[:])
+	return rand2.NewChaCha8(buf)
+})
+
+func FastCryptoRandomBytes(length int) []byte {
+	// ChaCha8 is about 20x times faster than system's crypto/rand.
+	// It is suitable for UUIDs, session IDs, etc
+	buf := make([]byte, length)
+	_, _ = chaCha8Rand().Read(buf)
+	return buf
+}
+
+func FastCryptoRandomHex(length int) string {
+	buf := FastCryptoRandomBytes(length / 2)
+	return hex.EncodeToString(buf)
 }
 
 // ToLowerASCII returns s with all ASCII letters mapped to their lower case.

routers/web/repo/view.go

@@ -322,7 +322,7 @@ func renderDirectoryFiles(ctx *context.Context, timeout time.Duration) git.Entri
 				}
 			}
 			_ = clearFilesCommitInfo
-			// clearFilesCommitInfo() // TODO: LAST-COMMIT-ASYNC-LOADING: debug the frontend async latest commit info loading, uncomment this line, and it needs more tests
+			clearFilesCommitInfo() // TODO: LAST-COMMIT-ASYNC-LOADING: debug the frontend async latest commit info loading, uncomment this line, and it needs more tests
 		}
 	}
 

services/context/context.go

@@ -63,8 +63,6 @@ type Context struct {
 	Package *Package
 }
 
-type TemplateContext map[string]any
-
 func init() {
 	web.RegisterResponseStatusProvider[*Base](func(req *http.Request) web_types.ResponseStatusProvider {
 		return req.Context().Value(BaseContextKey).(*Base)

services/context/context_template.go

@@ -5,18 +5,25 @@ package context
 
 import (
 	"context"
+	"fmt"
+	"html"
 	"html/template"
 	"net/http"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"code.gitea.io/gitea/modules/httplib"
+	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/webtheme"
 )
 
+type TemplateContext map[string]any
+
 var _ context.Context = TemplateContext(nil)
 
 func NewTemplateContext(ctx context.Context, req *http.Request) TemplateContext {
@@ -83,3 +90,46 @@ func (c TemplateContext) AppFullLink(link ...string) template.URL {
 	}
 	return template.URL(s + strings.TrimPrefix(link[0], "/"))
 }
+
+var globalVars = sync.OnceValue(func() (ret struct {
+	scriptImportRemainingPart string
+},
+) {
+	// add onerror handler to alert users when the script fails to load:
+	// * for end users: there were many users reporting that "UI doesn't work", actually they made mistakes in their config
+	// * for developers: help them to remember to run "make watch-frontend" to build frontend assets
+	// the message will be directly put in the onerror JS code's string
+	onScriptErrorPrompt := `Please make sure the asset files can be accessed.`
+	if !setting.IsProd {
+		onScriptErrorPrompt += `\n\nFor development, run: make watch-frontend.`
+	}
+	onScriptErrorJS := fmt.Sprintf(`alert('Failed to load asset file from ' + this.src + '. %s')`, onScriptErrorPrompt)
+	ret.scriptImportRemainingPart = `onerror="` + html.EscapeString(onScriptErrorJS) + `"></script>`
+	return ret
+})
+
+func (c TemplateContext) ScriptImport(path string, typ ...string) template.HTML {
+	if len(typ) > 0 {
+		if typ[0] == "module" {
+			return template.HTML(`<script nonce="` + c.CspScriptNonce() + `" type="module" src="` + html.EscapeString(public.AssetURI(path)) + `" ` + globalVars().scriptImportRemainingPart)
+		}
+		panic("unsupported script type: " + typ[0])
+	}
+	return template.HTML(`<script nonce="` + c.CspScriptNonce() + `" src="` + html.EscapeString(public.AssetURI(path)) + `" ` + globalVars().scriptImportRemainingPart)
+}
+
+func (c TemplateContext) CspScriptNonce() (ret string) {
+	ret, _ = c["_cspScriptNonce"].(string)
+	if ret == "" {
+		ret = util.FastCryptoRandomHex(32) // 16 bytes / 128 bits entropy
+		c["_cspScriptNonce"] = ret
+	}
+	return ret
+}
+
+func (c TemplateContext) HeadMetaContentSecurityPolicy() template.HTML {
+	return template.HTML(`<meta http-equiv="Content-Security-Policy" content="` +
+		`script-src * 'nonce-` + c.CspScriptNonce() + `';` +
+		`style-src * 'unsafe-inline';` +
+		`">`)
+}

templates/base/footer.tmpl

@@ -9,7 +9,7 @@
 	</div>
 	{{template "custom/body_outer_post" .}}
 	{{template "base/footer_content" .}}
-	{{ScriptImport "js/index.js" "module"}}
+	{{ctx.ScriptImport "js/index.js" "module"}}
 	{{template "custom/footer" .}}
 </body>
 </html>

templates/base/head.tmpl

@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html lang="{{ctx.Locale.Lang}}" data-theme="{{ctx.CurrentWebTheme.InternalName}}">
 <head>
+	{{ctx.HeadMetaContentSecurityPolicy}}
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<title>{{if .Title}}{{.Title}} - {{end}}{{.PageTitleCommon}}</title>
 	{{if .ManifestData}}<link rel="manifest" href="data:{{.ManifestData}}">{{end}}

templates/base/head_script.tmpl

@@ -2,7 +2,7 @@
 If you are customizing Gitea, please do not change this file.
 If you introduce mistakes in it, Gitea JavaScript code wouldn't run correctly.
 */}}
-<script>
+<script nonce="{{ctx.CspScriptNonce}}">
 	{{/* before our JS code gets loaded, use arrays to store errors, then the arrays will be switched to our error handler later */}}
 	window.addEventListener('error', function(e) {window._globalHandlerErrors=window._globalHandlerErrors||[]; window._globalHandlerErrors.push(e);});
 	window.addEventListener('unhandledrejection', function(e) {window._globalHandlerErrors=window._globalHandlerErrors||[]; window._globalHandlerErrors.push(e);});
@@ -31,4 +31,4 @@ If you introduce mistakes in it, Gitea JavaScript code wouldn't run correctly.
 	{{/* in case some pages don't render the pageData, we make sure it is an object to prevent null access */}}
 	window.config.pageData = window.config.pageData || {};
 </script>
-{{ScriptImport "js/iife.js"}}
+{{ctx.ScriptImport "js/iife.js"}}