W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: CSP script hashes

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Fri, 1 Feb 2013 10:19:41 -0800
Message-ID: <CAF8haaxQodWoT1FC8z6_i8h9G6394NVkYc0DSiJwf3-yd8j0tA@mail.gmail.com>
To: Nicholas Green <ngreen@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
One key difference between nonces and hashes is that hashes can't stop
return-to-libc-like attacks (e.g.,, attacker calling
twitter.delete_my_account() which could be hashed).


On Thu, Jan 31, 2013 at 5:32 PM, Nicholas Green <ngreen@twitter.com> wrote:

> Hi folks,
>
>   There has been some discussion around hashes rather than nonces for
> <script>/<style>s recently, and I wanted to support that suggestion.
> My proposal would be we send down a header of script-hashes <hash>
> <hash> ..., that specifies which scripts can run on a page.  This is,
> I think, what ISSUE-36 proposes.
>
>   The reason this is appealing to us is that the only real blockers
> that we have encountered while implementing CSP headers that restrict
> inline scripts and styles are:
>
> 1) Scripts that must be run at a certain time during page load.
> 2) Styles that should be applied from initial page load.
> 3) Scripts and styles that are inlined for performance reasons (i.e.
> to avoid an extra round trip on high latency connections).
>
>   None of these require any dynamic content to be present in the
> scripts or styles, thus script hashes, which could either complement
> or work independently of script nonces, that allowed us to specify the
> hashes of scripts that we will allow to run inline would be
> sufficient.  Since the content is static these hashes can be
> calculated at the deploy time (light on the server), and don't need to
> be salted with any server side secrets, this should be relatively
> straightforward.  Of course some details (i.e. ignore whitespace?)
> would have to be specified to ensure interoperability.  I realize this
> will be non-trivial to implement for some applications, but think the
> benefit is worth it.  It certainly would be from our perspective.
>
>   One last point: Since assets are often served from CDNs generating
> random nonces per request may be tricky, but if we just need to change
> headers each time we change assets, I think we dodge the CDN
> difficulties as well as potential caching issues.
>
>   Thoughts?  Implementation hurdles?  Other places this is already
> covered that I should've read?
>
> Thanks,
> Nick
>
>
>


-- 
-Eric
Received on Friday, 1 February 2013 18:20:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 February 2013 18:20:12 GMT