Attempt to use CSP - Questions from Aymeric Vitte on 2013-09-20 (public-webappsec@w3.org from September 2013)

From: Aymeric Vitte <vitteaymeric@gmail.com>
Date: Fri, 20 Sep 2013 18:21:27 +0200
To: public-webappsec@w3.org
Message-ID: <523C7607.1070102@gmail.com>

I tried to use CSP on FF and Chrome with the following use case :

http://peersm.com :
<style nonce="random">...</style>
<img from http://www.peersm.com>
<script src="https://peersm.com/script.js" nonce="random">
<script google>

script.js :
xhr-->decrypt data --> eval(decrypted data)
var workerjs='code';
var worker=new Worker(URL.createObjectURL(new Blob([workerjs])));
new WebSocket('ws://xxx:yyy')

I ended up with the following CSP rule :

head['Content-Security-Policy']= "default-src 'self'; img-src 
http://www.peersm.com; connect-src http://peersm.com xxx;style-src 
'unsafe-inline'; script-src 'unsafe-eval' 'unsafe-inline' 
https://peersm.com https://www.google.com https://ajax.googleapis.com 
'nonce-random';script-nonce random";

Which seems completely insecure...

1- I could not make nonces work even using both syntaxes above, that's 
why https://peersm.com is in the script-src list and 'unsafe-inline' in 
style-src, reading at the docs it seems implemented but maybe it's not
2- I added 'unsafe-inline' in script-src since the worker as defined 
here is maybe assimilated to an inline script but whatever we do CSP 
blocks the worker
3- It's not clear depending on browsers if you can whitelist a complete 
url (http://a/b/c/script.js) or not (http://a/b/c) (working on Chrome, 
not working on FF)

I have some doubts while reading the CSP spec, so sorry if the remarks 
have already been discussed. You might object that I am doing strange 
things but there are very good reasons for that, for example I can not 
load directly script.js inside https://peersm.com because FF will refuse 
to create a non SSL/TLS WebSocket (see 
https://bugzilla.mozilla.org/show_bug.cgi?id=917829)

What I would think natural to have is something like:

style-src ('unsafe-inline' only with http://peersm.com/) or 'nonce-random'
--> allow unsafe-inline only for a set of urls or use nonces
script-src ('unsafe-eval' only with https://peersm.com/script.js) 
('unsafe-inline' only with workers) https://www.google.com 
https://ajax.googleapis.com (https://peersm.com/script.js or 'nonce-random')
--> allow unsafe-eval only for a set of urls, whitelist them explicitely 
or use nonces

But as far as I understand the spec this is not possible, correct?

Regards

Aymeric

-- 
jCore
Email :  avitte@jcore.fr
Peersm : http://www.peersm.com
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web :    www.jcore.fr
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com

Received on Friday, 20 September 2013 16:22:09 UTC