crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] from Web Cryptography Working Group Issue Tracker on 2012-08-20 (public-webcrypto@w3.org from August 2012)

From: Web Cryptography Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 20 Aug 2012 14:18:11 +0000
To: public-webcrypto@w3.org
Message-Id: <E1T3Snz-0002Up-TA@tibor.w3.org>

crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API]

http://www.w3.org/2012/webcrypto/track/issues/21

Raised by: Ryan Sleevi
On product: Web Cryptography API

One of the concerns with exposing the Web Crypto API to applications is the possibility for cross-siste scripting. This was particularly raised during the "signed JS" use cases, as it suggests that signed JS may act as a mitigation against an unauthenticated ephemeral XSS being turned into a persistent, authenticated XSS, by means of corrupting script stored in localStorage.

One way to mitigate this would be to specify that, in order to have this API exposed, applications MUST use CSP [1] and MUST specify a script-src [2] directive of 'self' and object-src directive of 'self'. This would prevent any inline script from being added, and would prevent the use of 'eval' to execute script.

While such solutions are not perfect, they can *significantly* reduce the risk of compromise or misuse. On the other hand, this may prevent some use cases, such as those imagined by the signed JS. A compromise might be to define "Anything that requires a key requires CSP", which would simply permit insecure applications from using key-based operations.

[1] http://www.w3.org/TR/CSP/
[2] http://www.w3.org/TR/CSP/#script-src

Received on Monday, 20 August 2012 14:18:14 UTC