Re: Hashes. from Dionysis Zindros on 2013-12-12 (public-webappsec@w3.org from December 2013)

From: Dionysis Zindros <dionyziz@gmail.com>
Date: Wed, 11 Dec 2013 17:57:09 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Neil Matatall <neilm@twitter.com>, Garrett Robinson <grobinson@mozilla.com>, Joel Weinberger <jww@google.com>, Adam Barth <w3c@adambarth.com>, Brad Hill <bhill@paypal-inc.com>, Dan Veditz <dveditz@mozilla.com>
Message-ID: <CAE-c3meD=OsR-SnUU=+Nb-As8szvZvgjSOrr=gR+9ZOmiPOfEA@mail.gmail.com>

On Wed, Dec 11, 2013 at 3:04 AM, Mike West <mkwst@google.com> wrote:
>
> I've taken a stab at wrapping up the various threads on script hashes into some spec text that I hope addresses most concerns, and just added [1], [2], and [3] to the spec for discussion.
>
> In particular:
>
> 0. I think we want both hashes and nonces. The spec reflects that.
>
> 1. I'm deferring to the HTML spec for the definition of the script block's source, which I think gives us good chances of both understanding how the script block is parsed and understood, and interoperating on that understanding. Adam, your input would be particularly valued here: is that definition enough, or do we need to more explicitly talk about encodings and canonicalization?
>
> 2. 'unsafe-inline' is disabled if either a hash or nonce is present.
>
> 3. I'm running with Garrett's suggestion that we support only SHA-2 algorithms. I think there's value in supporting SHA-1 (number of bits on the wire, if nothing else), and I'd like to add it in. Moreover, there might be value in writing the spec such that future algorithms can be supported if browser vendors choose. I'm not sure we need to be explicit about the supported algorithms (other than to specify something like SHA-256 as mandatory to support, to ensure we have a common baseline). Opinions welcome. :)

Thanks for this patch, it's nice to see this moving forward.

>
>
> [1]: https://dvcs.w3.org/hg/content-security-policy/rev/20f1d3204a37

The change of "nonce-value" to "base64-value" is undesired for the
following reasons:

(a) When using a nonce in scripts or styles, the nonce-value is not
the base64 encoding of anything. It's just a random string securely
generated by the server independently for each request. The spec
grammar should use a name that reflects this. "nonce-value" is
appropriate, but "base64-value" is not.

(b) The grammar key "nonce-value" is referenced 3 times in the rest of
the spec. This change makes these references dangling. Furthermore,
changing these references to "base64-value" to match the grammar is
not a good idea, as they talk about the semantics of nonce-value in
particular. The references are in sections 3.2.2.3 and 3.2.2 and the
text talks particularly about the nonce, not the hash.

I recommend we go back to "nonce-value" as a separate grammar record
for the nonce value, and use an identical grammar record with the same
right-hand-side called "hash-value" for the hash value.

>
> [2]: https://dvcs.w3.org/hg/content-security-policy/rev/053e1cf7c388

The NIST standard illustrates hash results as hex. We want to make it
clear that the binary result of the hashing functions is subsequently
fed to base64. Let's add a clarification there.

Recommend that we change the following:

If the <a href="#dfn-digest-of-an-elements-contents"><var>algorithm</var>
digest of <var>element</var>'s contents</a> is a case-insensitive match for
<var>expected</var>, return true and abort these steps.

To the following:

If the <a href="http://tools.ietf.org/html/rfc4648#section-4">base64
encoding</a> of
the binary <a href="#dfn-digest-of-an-elements-contents"><var>algorithm</var>
digest
of <var>element</var>'s contents</a> is a case-insensitive match for
<var>expected</var>, return true and abort these steps.

Even better, it would be great to define a separate "actual" in
addition to "expected".

Recommend that we also add something along the lines of the following,
to ease adoption and implementation for web developers:

If the user agent fails to match hash-value, the user agent SHOULD
report a warning message in the developer console containing the
actual hash value.

These modifications are reflected in the attached patch
(csp-specification.dev.html.patch).

Thanks!

> [3]: https://dvcs.w3.org/hg/content-security-policy/rev/8db37e53da82
>
> Thanks (and apologies for the delay/my absence; I've been buried in non-CSP work recently)!
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Attachments

application/octet-stream attachment: csp-specification.dev.html.patch

Received on Thursday, 12 December 2013 01:58:02 UTC