Re: Script-nonce policies from Adam Barth on 2012-11-02 (public-webappsec@w3.org from November 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 2 Nov 2012 11:57:07 -0700
To: Joel Howard Willis Weinberger <jww@cs.berkeley.edu>
Cc: Eric Rescorla <ekr@rtfm.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia-eWuptBq7Fv5VmJe7==MW1Y18kiScR78Hq7ky4sLrA6Q@mail.gmail.com>

On Fri, Nov 2, 2012 at 11:14 AM, Joel Howard Willis Weinberger
<jww@cs.berkeley.edu> wrote:
> Perhaps I've missed this in previous conversations, but why is script-nonce
> restricted only to scripts?

I don't think we've discussed that previously.  Up to this point,
script-nonce has had two goals:

1) Let web sites use inline scripts without giving up the XSS
protections from CSP.
2) Give web sites finer-grained control over where they load scripts
(finer-grained than origin).

Goal (1) seems valuable.  Goal (2) seems less valuable (to me) now
that we have directory restrictions that let web sites have
finer-grained control over where they load scripts by URL.

> Why not allow other (potentially arbitrary) uses
> of the nonces for forms, for example? If one is worried about any particular
> type of element injection, couldn't the nonce attribute be useful? Why not
> have a more general 'nonce policy' that allows directives of not just 'all'
> or 'inline', but also 'forms,' 'input', etc?

That's an interesting idea.  An extreme version of that idea would be
to require a nonce to whitelist every element.  That might get a bit
unwieldy, but you could imagine letting the web site specify which tag
names would require nonces.

Adam

> On Fri, Nov 2, 2012 at 10:41 AM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> [-public-web-security, +public-webappsec]
>>
>> Maybe we should make script-nonce apply only to inline script elements?
>>
>> Adam
>>
>>
>> On Fri, Nov 2, 2012 at 2:42 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> > As I mentioned in the meeting, script-nonce seems like it would be
>> > more useful if there was a way to restrict its applicability to inline
>> > scripts,
>> > so I can have a site with a static security policy and a small number of
>> > inline
>> > scripts without having to rewrite every page that loads jQuery.
>> >
>> > Concrete suggestion: augment script nonce with a "policy" parameter
>> > such as:
>> >
>> > script-nonce <nonce>,<policy> where <policy> == "all" or "inline"
>> > to mean that the nonce applies to both scripts or just inline scripts.
>> >
>> > -Ekr
>> >
>>
>

Received on Friday, 2 November 2012 18:58:06 UTC