W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 10:05:15 +0000
Message-ID: <AANLkTi=C6N8wdm2qHLpBN7mS2Hc0KoQ=rHyTvmJ0Uhuk@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 27 January 2011 17:11, Gervase Markham <gerv@mozilla.org> wrote:

> On 27/01/11 16:54, Brandon Sterne wrote:
>
>>    c. script-nonce: a nonce which, if present in a<script>  tag will
>>       permit inline script to run
>>
>
> Obviously, I support this idea :-) Although I'm not convinced it needs to
> be in version 1.0.
>
> We will need to specify exactly what "present" means. See:
> http://www.gerv.net/security/script-keys/
> for a few ideas. In particular, you may want to find a way to have the key
> in the tag itself for external scripts, rather than the script. This way,
> people can e.g. include shared copies of web frameworks from Google, and
> also not have to dynamically generate their script files.
>
> Also, I'm not sure "nonce" is the right word.
> http://en.wikipedia.org/wiki/Cryptographic_nonce
> suggests that it's "number used once". As the above document discusses, I
> can see various sites making various trade-offs about how often they change
> the key, based on caching concerns.
>

Ok let me drive this grave error home, if at any point that the script token
becomes session based it's useless. An attacker (me) would inject a HTML
form equivalent based vector to steal all tokens and then inject the same
page with JavaScript. If for some crazy reason you decide to use session
based tokens then you would have to validate all HTML injections but we
don't live in this crazy world and we will never visit it. I suggest no
trade offs.
Received on Friday, 28 January 2011 10:05:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 10:05:49 GMT