Re: [CSP] Clarifications on nonces

On Mon, Feb 9, 2015 at 9:06 AM, Brian Smith <brian@briansmith.org> wrote:

> I think it is good to have such text discouraging the use of nonce.
> But, I think it is important to explain the security issues that nonce
> has so that the reader can understand *why* nonce is not secure. Feel
> free to use any of the text in my previous emails describing those
> issues.
>

I've added a bit of text in
https://github.com/w3c/webappsec/commit/9bb821e33b85718b2d2aa8741321906c2e780b17
to this effect.


> > Consider a page that includes a third-party widget. Or an ad. It's quite
> > likely that the page doesn't actually know what's going to be loaded via
> > that widget, so constructing a CSP which would allow those things is
> > difficult. Nonces, being easily transferrable, allow such embedded
> content
> > to bring in whatever it requires.
>
> I think that use case is one for which we should find alternative
> solutions. In particular, we should be moving the web towards social
> widgets and ads being confined within iframe sandbox so that embedding
> an ad or widget doesn't give the ad/widget provider full control over
> the page's origin like <script src=//third-party.example.com/ad.js>
> does. So, I think that allowing CSP nonce to have DOM XSS
> vulnerabilities in order to support the use case above is doubly
> counterproductive.
>

The general thrust is "Don't run third-party JavaScript in your site's
context." and "Don't serve ads that require DOM access.". I think there's
general agreement on those point in theory, and general disregard for them
in practice. My claim is that if we make it impossible to follow this
unfortunately (very) common pattern, the most likely effect is not that
folks will make their sites more secure, but they they simply won't use CSP.

Nonces are significantly weaker than a policy that whitelists specific
origins. Nonces are significantly stronger than an empty policy. It's a
trade-off, to be sure. I'm arguing that it's a justifiable and practical
one. You're arguing that it's not.

As you suggested in
https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0116.html, it
would be good to get more opinions to see where the group tends to land on
the subject.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 9 February 2015 09:31:09 UTC