RE: CSP Sandbox directive and meta tag - CSP 1.1 from Jacob Rossi on 2012-09-19 (public-webappsec@w3.org from September 2012)

From: Jacob Rossi <Jacob.Rossi@microsoft.com>
Date: Wed, 19 Sep 2012 00:02:29 +0000
To: Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D0BC8E77E79D9846B61A2432D1BA4EAE06663FD5@TK5EX14MBXC287.redmond.corp.microsoft.>

Thanks for bringing this back up, Tanvi.  

In general, I think your proposal makes sense. It follows the behavior of the sandbox iframe attribute in that the sandbox tokens must be set prior to loading the document to which they apply. 

Though for us (Microsoft), the complexity involved in supporting the sandbox directive in the meta tag is not much different from that of any of the other directives in a meta tag. There are very few cases where the security context of a document (not CSP necessarily, but general security parameters such as origin, sandboxing, or security='restricted', etc.) is mutable in our implementation after we've begun loading it (document.domain is one case I can think of offhand). This is for implementation simplicity but also as a reduction in surface area for attacks.

There's also a few questions I have on the mechanics of the meta tag that might influence my opinion here:

1. The spec describes that HTTP headers trump meta tags, the first meta tag wins over subsequent ones, and that meta elements inserted after loading are ignored. But what about dynamic manipulation of a currently enforced policy from a meta element? In other words, can I alter the content attribute of the meta tag after loading the document?  I think the answer should be no, but that should probably be specified.

2. I assume that, prior to parsing the meta element, scripts can execute as though there is no policy. So:

<script> alert('You see this alert');</script>
<meta http-equiv="content-security-policy" content="script-src: 'none'">
<script> alert('You will not see this alert');</script>

But what if this was a plugin?  Does the first plugin get unloaded by the User Agent or does the later loaded policy not apply to it?

<object data="foo.pdf" type="application/pdf" classid="clsid:CA8A9780-280D-11CF-A24D-444553540000" ></object>
<meta http-equiv="content-security-policy" content="object-src: 'none'">

Thanks!

-Jacob

-----Original Message-----
From: Tanvi Vyas [mailto:tanvi@mozilla.com] 
Sent: Tuesday, September 18, 2012 3:17 PM
To: public-webappsec@w3.org
Subject: CSP Sandbox directive and meta tag - CSP 1.1

A couple months ago during our biweekly call we discussed how a csp sandbox directive would be handled when the content security policy is specified in a meta tag.  We proposed ignoring the csp sandbox directive if set in a meta policy.  This is because the sandbox flag needs to be set on navigation, and the <meta> tag with the policy isn't specified until after navigation and after a principal for the document has already been set.  Switching to the null principal after we discover the sandbox directive makes following the same origin policy tricky since we'd already be halfway through parsing the document.

Bringing this up on the mailing list for further discussion. Thanks!

~Tanvi

Received on Wednesday, 19 September 2012 00:03:07 UTC