Re: ISSUE-4: Policy combination from Adam Barth on 2011-12-09 (public-webappsec@w3.org from December 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 9 Dec 2011 11:14:10 -0800
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Giorgio Maone <g.maone@informaction.com>
Message-ID: <CAJE5ia-PK6k5h70jez-9NcmD_+qBej1NWKQChP+eAMA4sctqUQ@mail.gmail.com>
On Fri, Dec 9, 2011 at 11:01 AM, Hill, Brad <bhill@paypal-inc.com> wrote:
> I have been curious for a while now: in every instance previous to "first-wins", policy combinations resulted in the least privilege implied by the union.  But when an enforceable policy and a report-only policy are both present, report-only gets to override and negate enforcement.  This behavior remains in the new "first-wins" language.

I believe the reverse is true.  If there's at least one
Content-Security-Policy header, the first such header is enforced.  If
there's a Report-Only header, then the first such takes effect only if
there isn't a Content-Security-Policy header.

> What's the reason for this exception to the general philosophy?

The case where it's different is the following:

200 OK blah blah
Content-Security-Policy-Report-Only: default-src 'self'; report-uri
/csp-report.cgi
Content-Security-Policy: default-src 'self'; img-src *; report-uri
/csp-report.cgi

First of all, servers MUST NOT send such responses (they're only
allowed to send one of these headers).  That means the server is
misconfigured, and the safer thing seems to be to actually enforce the
policy.  Otherwise, the site could be running insecurely and the
server operator wouldn't realize it.

> I admit I'm being lazy here in not trawling the archives, but it is at least an on-topic question now. :)

I'm not sure we had a full discussion about it.  That was just the
behavior in the document originally and I preserved it during the
edit.  If folks think some other behavior is better, we can certainly
change the document.

Adam


>> -----Original Message-----
>> From: Adam Barth [mailto:w3c@adambarth.com]
>> Sent: Thursday, December 08, 2011 6:16 PM
>> To: Brandon Sterne
>> Cc: public-webappsec@w3.org; Giorgio Maone
>> Subject: Re: ISSUE-4: Policy combination
>>
>> I've updated the spec reflect the "first-wins" behavior.
>>
>> Adam
>>
>>
>> On Thu, Dec 8, 2011 at 1:57 PM, Brandon Sterne <bsterne@mozilla.com>
>> wrote:
>> > I'm also fine with making the change to Adam's "first-wins" proposal.
>> >
>> > -Brandon
>> >
>> >
>> > ----- Original Message -----
>> > From: "Adam Barth" <w3c@adambarth.com>
>> > To: "Giorgio Maone" <g.maone@informaction.com>
>> > Cc: public-webappsec@w3.org
>> > Sent: Thursday, December 8, 2011 1:16:03 PM
>> > Subject: Re: ISSUE-4: Policy combination
>> >
>> > On Thu, Dec 8, 2011 at 12:55 PM, Giorgio Maone
>> <g.maone@informaction.com> wrote:
>> >> Eric Rescorla wrote, On 08/12/2011 21.32:
>> >>> 1. In the header, a policy which specifies a policy-uri which takes
>> >>> 10 seconds to load. 2. In the body, a meta tag with a complete
>> >>> policy Which one of these did the agent "encounter first"?
>> >>
>> >> The former. And if it times out, enforce default-src 'none'.
>> >
>> > Correct.  policy-uri needs to block processing of the page until the
>> > policy can be fetched anyway.
>> >
>> > Adam
>> >
>> >
>> >> Eric Rescorla wrote, On 08/12/2011 21.32:
>> >>> Is this deterministic? Consider the case where a document has two
>> >>> policies:
>> >>>
>> >>> 1. In the header, a policy which specifies a policy-uri which takes
>> >>> 10 seconds to load. 2. In the body, a meta tag with a complete
>> >>> policy
>> >>>
>> >>> Which one of these did the agent "encounter first"?
>> >>>
>> >>> -Ekr
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Thu, Dec 8, 2011 at 12:10 PM, Giorgio Maone
>> >>> <g.maone@informaction.com>
>> >>> wrote:
>> >>>> +1 for A, first seen wins.
>> >>>>
>> >>>> -- G
>> >>>>
>> >>>> Adam Barth wrote, On 08/12/2011 20.35:
>> >>>>> One of our open issues is about how to deal with multiple CSP
>> >>>>> policies for a given resource.  At TPAC, one resolution we
>> >>>>> discussed was the following:
>> >>>>>
>> >>>>> 1) If a resource has multiple HTTP headers containing CSP
>> >>>>> policies, enforce all of the policies.  Because CSP policies only
>> >>>>> reduce privileges (never grant privileges), that effectively means
>> >>>>> that an action is allowed only if it is allowed by all the CSP policies.
>> >>>>>
>> >>>>> 2) If a resource has a CSP policy from an HTTP header, then we
>> >>>>> ignore any CSP policies that might be contained in <meta> elements.
>> >>>>> Otherwise, the user agent enforces all the CSP policies found in
>> >>>>> <meta> elements.
>> >>>>>
>> >>>>> Another resolution (which I advocate) is the following:
>> >>>>>
>> >>>>> A) The first CSP policy the user agent encounters for a document
>> >>>>> wins.
>> >>>>>
>> >>>>> IMHO, approach (A) is better than approach (1+2) for two reasons.
>> >>>>> First, it's simpler.  CSP is already more complex that it should be.
>> >>>>> Adding more complexity is costly, both now in terms of
>> >>>>> implementation and in the future in terms of constraints.
>> >>>>>
>> >>>>> Second, approach (1+2) constrains future evolution of CSP.  For
>> >>>>> example, suppose we wanted to include
>> >>>>> http://wiki.whatwg.org/wiki/Meta_referrer as a CSP directive.  How
>> >>>>> would we define the combination of policies containing referrer
>> >>>>> directives?  We'd have to define some ordering like "never <
>> >>>>> origin < always", but where does default fit in?
>> >>>>>
>> >>>>> These are, in some sense, the same concern.  We can implement
>> >>>>> combination today, but it imposes constrains on the future that we
>> >>>>> might wish we didn't have later.
>> >>>>>
>> >>>>> Adam
>> >>>>>
>> >>>>
>> >>>>
>> >>>
>> >>
>> >>
>> >
>
Received on Friday, 9 December 2011 19:15:18 UTC