W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Nonce for CSS, Signature of script, link, img?

From: Hendrik Brummermann <nhb_web@nexgo.de>
Date: Thu, 31 Jan 2013 01:03:36 +0100
Message-ID: <5109B4D8.7080409@nexgo.de>
To: public-webappsec@w3.org
The proposal for script-nonce made we wonder two things:

First: Should we extend the concept to style definitions? If the style
sheet is rather small, inlining will save a significant amount of time
on the initial page load. For this reason many mobile providers already
use Deep Packet Manipulation to embed external stylesheets.



Second: Should we use a hash of the content? Static content such as
JavaScript, CSS and images is often hosted on content delivery networks.
With a hash in the <script>, <link>, and <img> elements, it can be
ensured that these files have not been tampered with.


Taking this one step further, this could be used to ensure that
downloadable files, linked via an <a> tag, have not been manipulated.
One of SourceForge's mirrors was recently compromised and served
executables with a backdoor.


For the use-cases listed above, an attribute in the elements will do.
But we still want to ensure that injected content cannot do any harm. So
we need to prevent an attacker from injecting an element with the
correct hash. One idea to solve this, is to include the nonce value,
which is transmitted in the CSP-header, into the hash function.

Hendrik
Received on Thursday, 31 January 2013 00:04:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 31 January 2013 00:04:05 GMT