W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

CSP script hashes, inline and src'd

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 18 Oct 2013 16:45:21 -0700
Message-ID: <CAHQV2KnZZgym-y2JEkGZDMdxu=bEuHgSACBJDAj3Lwvns7Eotw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm currently working on the Chromium implementation of script hashes, and
I came across a point needing clarification: should script hashes apply to
src'd scripts as well as inlined ones? One of Neil's comments implies only
inlined, which is my preference, but I want to make sure we're explicit
about this.

The problem is if they apply to src'd scripts as well, we (Chromium) have a
chicken and egg
problem. We check CSP to see if a resource URL is acceptable
according to the policy. If not, we do not make the request. However, that
means
that if the URL is not acceptable *but* the hash of the script *is*
acceptable,
we never see the script, and thus can't override the URL decision.

This isn't a fundamental limitation of Chromium, but I'm not sure of the
true
value of applying script hash to src'd content, and it would mean
requesting extra resources that CSP otherwise would block. Additionally, on
a practical level, it would require a heck of a lot of refactoring on our
end.

Whatever our decision, I'm working on a more formal spec write to clarify
some of the ins and outs and what-have-yous that I've come across during
implementation. Obviously, whatever the consensus here is will be a part of
that.
--Joel
Received on Friday, 18 October 2013 23:45:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 18 October 2013 23:45:49 UTC