Re: Confinement policies? (was Re: Scripting Policy sketch.) from Craig Francis on 2020-01-09 (public-webappsec@w3.org from January 2020)

From: Craig Francis <craig.francis@gmail.com>
Date: Thu, 9 Jan 2020 13:52:11 +0000
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@fb.com>, Devdatta Akhawe <dev@dropbox.com>, Patrick Toomey <patrick.toomey@github.com>, Artur Janc <aaj@google.com>, Lukas Weichselbaum <lwe@google.com>, Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CALytEkMMFdhBF-Ytbunnss1HSaf+Y15rGx9O-zCA676To0=X=w@mail.gmail.com>

I can't answer for websites that have huge/multiple/complicated development
teams.

But for smaller websites, we tend to have a simple(ish) processes for
minifying, transpiling, etc - where the output is put in a single folder.

That folder tends to only have static content (no redirects), and should
never contain user-uploaded content.

We can currently use (although I admit, it's currently rare) a CSP with
paths to keep our code organised (i.e. it stops the lazy thoughts creeping
in, such as "I'll just dump that JS file here, or temporary use this 3rd
party hosted version for now, and move it to the correct location later").

And while I appreciate these files probably should use a separate domains
from a security point of view (main host / static resources / user uploaded
content), it's becomingly increasingly difficult to justify from a
performance point of view (especially with HTTP/2, and the use of integrity
checks breaking connection coalescing), and it makes the development
process more complicated (needing to use variables to specify the host
these separate resources are on; in development, testing, demo, and live).

It's very early days (I started a couple of weeks ago), but I've made a
browser extension (Chrome and Firefox) that will present the CSP policy in
a table layout (easier to read), and suggest ways to apply more
restrictions (i.e. better confinement):

https://github.com/craigfrancis/dev-headers

On Thu, 9 Jan 2020 at 08:25, Mike West <mkwst@google.com> wrote:

> (Forking the thread for clarity)
>
> My impression is that CSP is actually not a great fit for developers'
> actual confinement needs. It's fairly awkward to set up reasonable
> policies, it's flexible in places it doesn't need to be, and inflexible in
> places that would be convenient. If we're stepping back and reevaluating, I
> think it's worth thinking about what a more idealized confinement policy
> would look like. We may indeed decide that CSP is Good Enough, but I'd like
> to get some developers to weigh in before landing on that decision.
>
> That said, I know the sketch I put up at
> https://github.com/mikewest/csp-next#resource-confinement isn't what we
> want to end up with. Perhaps we could get some folks who use policies that
> aim at something beyond script injection to weigh in on their requirements
> (I'm thinking of folks like +Brad Hill <hillbrad@fb.com> at Facebook, +Devdatta
> Akhawe <dev@dropbox.com> at Dropbox, +Patrick Toomey
> <patrick.toomey@github.com> at GitHub, +Artur Janc <aaj@google.com>/+Lukas
> Weichselbaum <lwe@google.com> at Google)?
>
> -mike
>
> On Wed, Jan 8, 2020 at 4:59 PM Craig Francis <craig.francis@gmail.com>
> wrote:
>
>> Thanks Mike,
>>
>> Scripting-Policy does look like a simpler process for developers to
>> mitigate the most common XSS issues (and Trusted Types can hopefully help
>> the next set).
>>
>> As to confinement, I think CSP does this pretty well already.
>>
>> So I'd like to keep CSP as it is, although you could deprecate some parts
>> (e.g. the hash/nonce options).
>>
>> Then CSP can focus on limiting where resources can be loaded from, which
>> is good for ensuring developers put things in the right place, but it's
>> also an extra set of restrictions if an attacker does find a way to run
>> their evil code (be that JS, malformed HTML, etc).
>>
>> Craig
>>
>>
>>
>> On Wed, 8 Jan 2020 at 10:18, Mike West <mkwst@google.com> wrote:
>>
>>> Hey folks,
>>>
>>> At TPAC last year, we discussed
>>> <https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#csp>
>>> the CSP Next proposal <https://github.com/mikewest/csp-next> in a
>>> little bit of detail. It seemed like there was general approval of the
>>> vague contours of the idea, so I took some time to sketch it out in a
>>> little more detail. I'd appreciate feedback (directional and detail!) on
>>> https://mikewest.github.io/csp-next/scripting-policy.html.
>>>
>>> This addresses the XSS mitigation portion of CSP. It doesn't touch the
>>> confinement portions of CSP discussed in
>>> https://github.com/mikewest/csp-next/#resource-confinement. I'm quite a
>>> bit less clear on what that would actually need to look like. If y'all have
>>> ideas (especially those rooted in actual experience deploying
>>> confinement-oriented policies), I'd love to hear about them.
>>>
>>> Thanks!
>>>
>>> -mike
>>>
>>

Received on Thursday, 9 January 2020 13:52:25 UTC