W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Garrett Robinson <grobinson@mozilla.com>
Date: Tue, 17 Dec 2013 13:50:24 -0800
Message-ID: <52B0C720.9080108@mozilla.com>
To: public-webappsec@w3.org
On 12/16/2013 10:28 AM, Pete Freitag wrote:
> On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com
> <mailto:dionyziz@gmail.com>> wrote:
> 
>     The current spec is explicit about allowing nonces and hashes for only
>     inline script use
> 
> 
> The current spec mentions hashes and nonce in the style-src section, but
> in the Valid Hashes
> section, https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashes
> it only mentions script. I would expect them to work in style-src as
> well as script-src does the valid-hashes section need to be updated or
> is the style-src section wrong?

That's an accidental omission. Hashes can be used to whitelist *inline*
scripts *and* styles.

> Also wouldn't it be possible in theory to solve Dev's problem by
> allowing hashes of inline event handers? This could also potentially
> help ease adoption in legacy applications. I don't know what kind of
> challenges that would present for the browser vendors to implement,
> obviously not anything I would want holding up CSP1.1.

Could you be more specific? I'm pretty sure Dev is referring to
something akin to

<button onclick="breakEverything()">Save</button>

Are you suggesting that we hash the contents of <button>? It seems like
we need to whitelist the *executable* content, not content associated
with executable content, to get security. Otherwise, an attacker could do

<button onclick="doSomethingEvil()">Save</button>

and get it to run.

Maybe we could do something like we do with setTimeout, where if the
contents of the event handler is just one function then we let it run?
But IMHO that is way over-complicated.

-Garrett

> --
> Pete Freitag
> http://foundeo.com
> http://content-security-policy.com/ - CSP Quick Reference
Received on Tuesday, 17 December 2013 21:50:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC