W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: The return of script-sample?

From: neil matatall <neil@matatall.com>
Date: Thu, 6 Dec 2012 09:05:23 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <C08710C87E4843F39F6EA3ED1ECC31CA@matatall.com>
Glad to add it, just waiting on membership. 

- Neil


On Wednesday, December 5, 2012 at 6:48 PM, Adam Barth wrote:

> On Tue, Dec 4, 2012 at 7:17 PM, neil matatall <neil@matatall.com (mailto:neil@matatall.com)> wrote:
> > (late to the party)
> > 
> > I was discussing data-mining capabilities provided from gathering CSP reports with a colleague, and we talked about how only Firefox's implementation will send a script-sample containing 45 characters of the script. We had discussed using the script-samples to build a list of payloads injected and feed them into a WAF like mod-security for signature detection.
> > 
> > Ignoring stances on WAFs and malicious script detection, was there a reason that script-sample in the CSP report was not included in the spec? It helps in identifying legit injections (in the case that unsafe-inline is disabled) and those created by plugins/infected browsers (Chrome makes this easier to filter based on chrome-extensions: which I believe are automatically ignored in Chrome canary). I do see a potential privacy issue here, but if you're not allowing inline script the script-sample certainly won't contain sensitive literals.
> 
> That's certainly an interesting idea and something we should consider for 1.1.
> 
> Would you be willing to add it to
> http://www.w3.org/Security/wiki/Content_Security_Policy under
> "Proposals for Version 1.1"?
> 
> As a side note, we should consider updating this page and using it
> more to organize the various 1.1 proposals...
> 
> Adam 
Received on Thursday, 6 December 2012 17:05:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 6 December 2012 17:05:56 GMT