W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: Comment on Content Security Policy 1.1, Draft of Dec 12 2012

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 18 Dec 2012 10:38:43 -0800 (PST)
Message-Id: <5732F98B-DC11-4FAE-86A8-DE9EFB26CBC3@mozilla.com>
To: Mike West <mkwst@google.com>
Cc: Florian Lasinger <florian@lasinger.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I think the "or" behavior would be helpful to sites that have sources they don't know about until the last minute (i.e. ad placement).  The server could inject a script nonce into the script tag and the csp header.  Then it can later fill in the src attribute of the script tag once it knows which ad is going to be placed on the site.  With the "and" behavior, the server would have to wait until it has the advertisement before generating the csp header (specifically the script-src directive).

~Tanvi

On Dec 18, 2012, at 6:44 AM, Mike West <mkwst@google.com> wrote:

> Hi Flo, thanks for the feedback. I'll add an example to make the section more clear.
> 
> Regarding the behavior in general, I do think there's room for argument about the interaction between the two directives. The currently specified "and" behavior makes sense to me, and seems to have the best security properties as it asks the developer to explicitly whitelist all possible sources of script for a page via 'script-src', and then specifically allow each in a given context via the nonce.
> 
> It does seem to be surprising, however. You're certainly not the first to note that the current behavior doesn't match your expectations.
> 
> Changing the directive to more "or"ish behavior would mean that, given a nonce, script from untrusted origins could be loaded. I don't think there's a way to exploit that without already having script access to the page, but I haven't thought about it enough to be sure.
> 
> I'm interested in others' opinions. :)
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> 
> 
> On Wed, Dec 12, 2012 at 4:51 AM, Florian Lasinger <florian@lasinger.org> wrote:
> @chapter „4.12.2 Interaction with the script-src directive“
> 
>  
> 
> The document contains one example for the case
> 
> „nonce provided and correct / src not allowed by script-src directive“.
> 
>  
> 
> There should be an example for the inverse case
> 
> „no nonce provided / src allowed by script-src directive“.
> 
>  
> 
> As it currently stands, the second case script would be rejected because it doesn’t have a nonce.
> 
> Intuitively I would assume the script to be safe because it comes from a whitelisted origin.
> 
>  
> 
> Therefore I would propose to restrict the relevant enforcing rule to only script tags with content.
> 
>  
> 
>  
> 
> Sincerely,
> 
> Flo
> 
>  
> 
> 
Received on Tuesday, 18 December 2012 18:39:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 December 2012 18:39:11 GMT