W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

RE: Nonce for CSS, Signature of script, link, img?

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 31 Jan 2013 00:20:55 +0000
To: Hendrik Brummermann <nhb_web@nexgo.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E278E9BA9@DEN-EXDDA-S12.corp.ebay.com>
Hendrik,

 With regard to hashes on external content, we already have a proposed deliverable for this in our new draft charter we're calling Sub-Resource Integrity, that could be easily be extended to content with a disposition of download.  Gervase Markham's "Link Fingerprints" proposal informed ours, and his was for exactly that use case.

 Regarding hashing inline content:

 1) Is there a straightforward canonicalization of inline content we can use to get an unambiguous hash?  

This proved to be quite challenging (actually, a total nightmare) with XML signatures.  Perhaps it is more easily achievable in the HTML DOM, but I'm not sure that's true.

2) Does a hash significantly improve security over just a nonce?  How and in what attack scenarios?

I can imagine injection scenarios that happen inside the context of a script block that is nonce tagged which a hash could theoretically prevent, but in practical terms, I wonder how the hash would be generated if the script block was intentionally dynamic?  Is there a meaningful way for the defender to use a hash to identify legitimate and intentional dynamic changes while excluding illegitimate injections?  I can't think of a method that offers any better protection than existing server-side input sanitization practices.

-Brad Hill

> -----Original Message-----
> From: Hendrik Brummermann [mailto:nhb_web@nexgo.de]
> Sent: Wednesday, January 30, 2013 4:04 PM
> To: public-webappsec@w3.org
> Subject: Nonce for CSS, Signature of script, link, img?
> 
> The proposal for script-nonce made we wonder two things:
> 
> First: Should we extend the concept to style definitions? If the style sheet is
> rather small, inlining will save a significant amount of time on the initial page
> load. For this reason many mobile providers already use Deep Packet
> Manipulation to embed external stylesheets.
> 
> 
> 
> Second: Should we use a hash of the content? Static content such as
> JavaScript, CSS and images is often hosted on content delivery networks.
> With a hash in the <script>, <link>, and <img> elements, it can be ensured
> that these files have not been tampered with.
> 
> 
> Taking this one step further, this could be used to ensure that downloadable
> files, linked via an <a> tag, have not been manipulated.
> One of SourceForge's mirrors was recently compromised and served
> executables with a backdoor.
> 
> 
> For the use-cases listed above, an attribute in the elements will do.
> But we still want to ensure that injected content cannot do any harm. So we
> need to prevent an attacker from injecting an element with the correct hash.
> One idea to solve this, is to include the nonce value, which is transmitted in
> the CSP-header, into the hash function.
> 
> Hendrik
Received on Thursday, 31 January 2013 00:21:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 31 January 2013 00:21:24 GMT