Re: CSP Sandbox directive and meta tag - CSP 1.1 from Adam Barth on 2012-09-19 (public-webappsec@w3.org from September 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 19 Sep 2012 13:28:13 -0700
To: Jacob Rossi <Jacob.Rossi@microsoft.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJE5ia_qdro2s1r6iO_g2tfTtAzng+TUGDkXKG4nmeedst=xhw@mail.gmail.com>

On Tue, Sep 18, 2012 at 5:02 PM, Jacob Rossi <Jacob.Rossi@microsoft.com> wrote:
> Thanks for bringing this back up, Tanvi.
>
> In general, I think your proposal makes sense. It follows the behavior of the sandbox iframe attribute in that the sandbox tokens must be set prior to loading the document to which they apply.
>
> Though for us (Microsoft), the complexity involved in supporting the sandbox directive in the meta tag is not much different from that of any of the other directives in a meta tag. There are very few cases where the security context of a document (not CSP necessarily, but general security parameters such as origin, sandboxing, or security='restricted', etc.) is mutable in our implementation after we've begun loading it (document.domain is one case I can think of offhand). This is for implementation simplicity but also as a reduction in surface area for attacks.

This is true in WebKit as well.  (I don't mind dropping support for
the sandbox directive from the meta tag---it's just that it's not
difficult to support in WebKit so we did in our experimental
implementation of CSP 1.1.)

> There's also a few questions I have on the mechanics of the meta tag that might influence my opinion here:
>
> 1. The spec describes that HTTP headers trump meta tags, the first meta tag wins over subsequent ones, and that meta elements inserted after loading are ignored. But what about dynamic manipulation of a currently enforced policy from a meta element? In other words, can I alter the content attribute of the meta tag after loading the document?  I think the answer should be no, but that should probably be specified.

Agreed.

> 2. I assume that, prior to parsing the meta element, scripts can execute as though there is no policy. So:
>
> <script> alert('You see this alert');</script>
> <meta http-equiv="content-security-policy" content="script-src: 'none'">
> <script> alert('You will not see this alert');</script>

Correct.

> But what if this was a plugin?  Does the first plugin get unloaded by the User Agent or does the later loaded policy not apply to it?
>
> <object data="foo.pdf" type="application/pdf" classid="clsid:CA8A9780-280D-11CF-A24D-444553540000" ></object>
> <meta http-equiv="content-security-policy" content="object-src: 'none'">

I believe we decided that the meta tag had to occur in the <head> to
have any effect.  In this case, the <object> tag will create an
implicit <body> element and the <meta> tag will be processed as if it
were a child of that <body> element and therefore would not be in the
<head>.

Adam

Received on Wednesday, 19 September 2012 20:29:13 UTC