W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Proposal for script-hash directive in CSP 1.1

From: Nicholas Green <ngreen@twitter.com>
Date: Wed, 13 Feb 2013 14:12:04 -0800
Message-ID: <CADYSid98v2eWGwxmgdU5OKHo5YdiNcRF+ijcOH8g=dNbJNOSRQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
In English:

The contents of every script tag will be encoded to utf-8 then hashed,
including all leading and trailing whitespace.  We hash the contents
of each script tag with the hashing algorithm specified in the
script-hash directive.  If the calculated hash's base64 encoding
matches the base64 encoding of a hash value listed in the CSP header,
we execute the script.  Otherwise we block & report.

In spec:

The script-hash directive restricts script execution by requiring that
the hash of a script's contents must appear in the directive in order
for the script to be executed.  The syntax for the name and value of
the directive are described by the following ABNF grammar:

directive-name      = "script-hash"
directive-value     = hash-algorithm ":" hash-list
hash-list           = *WSP [ hash-value *( 1*WSP hash-value ) *WSP ]
hash-value          = 1*hash-char *( 1*hash-char )
hash-char           = ALPHA / DIGIT / "+" / "/" / "="
hash-algorithm      = "sha1" / "sha256"

If script-hash is NOT specified as a directive:

* The user agent MUST follow script-src behavior or inherited
default-src behavior for inline scripts.

If script-hash IS specified as a directive

* Whenever the user agent would execute an inline script from a script
element, the user agent MUST NOT execute the script unless the base64
(rfc4648) encoding of the digest of the utf-8 encoded script contents
when hashed with the hash-algorithm specified in the script-hash
directive matches a base64 hash-value in the list of hash-values.
User agents should pad the hash-values with '=' as necessary to make
them valid base64 strings.
* Whenever the user agent would execute a script from an inline event
handler, instead the user agent MUST NOT execute the script.
* Whenever the user agent would execute script contained in a
javascript URI, instead the user agent MUST NOT execute the script.
* The content-type HTTP header SHOULD be set.
Received on Wednesday, 13 February 2013 22:14:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 13 February 2013 22:14:22 GMT