W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: `script-nonce` and script interface edits.

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Wed, 18 Jul 2012 21:42:39 -0700
Message-ID: <CAF8haazgOZP-6cbWncHeHRNAtF8YBrNU0Zv+eXbY-g7v38fBRw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org
Oh, you are talking about the case when the script-nonce directive is
invalid, not when the script-nonce attribute is invalid. In that case, I
agree it makes sense to hard-fail.

On Wed, Jul 18, 2012 at 9:16 PM, Mike West <mkwst@google.com> wrote:

> I don't know of an attack that could specifically exploit the soft-fail
> case; the change was made more in order to correctly set developers'
> expectations about the effect of their policy. If I send `script-nonce this
> is my awesome nonce;`, I might believe that my site is well protected, when
> in actuality the whole directive is being thrown away since the nonce isn't
> a valid token.
>
> We need to do something in response to an invalid nonce. Failing in such a
> way that's sure to be noticed seems the most secure option.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
>
> On Wed, Jul 18, 2012 at 10:57 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
>
>> Hi Mike:
>>
>>
>>> * `script-nonce` has been cleaned up a bit, adding a non-normative
>>> "Usage" section that attempts to explain the core functionality to web
>>> developers, and making two things clear that confused me while
>>> experimenting with a WebKit implementation. First, invalid nonces now fail
>>> loudly, blocking all script execution on a page.
>>>
>> Is there a particular motivation for this? (i.e., is there an attack that
>> would break the soft-fail case?)
>>
>>
>> --
>> -Eric
>>
>>
>


-- 
-Eric
Received on Thursday, 19 July 2012 04:43:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 04:43:07 GMT