Re: Proposal for script-hash directive in CSP 1.1 from Neil Matatall on 2013-07-02 (public-webappsec@w3.org from July 2013)

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 2 Jul 2013 14:57:46 -0700
To: Nicholas Green <ngreen@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOFLtbirfuFC7_90Dq31OYRNwS2gnthv1gf3v1OKS45cmCe5xg@mail.gmail.com>

Per the conversation in today's call where we were looking for a
script-hash spec proposal. Were there objections to this? Good
starting point?

On Wed, Feb 13, 2013 at 2:12 PM, Nicholas Green <ngreen@twitter.com> wrote:
> In English:
>
> The contents of every script tag will be encoded to utf-8 then hashed,
> including all leading and trailing whitespace.  We hash the contents
> of each script tag with the hashing algorithm specified in the
> script-hash directive.  If the calculated hash's base64 encoding
> matches the base64 encoding of a hash value listed in the CSP header,
> we execute the script.  Otherwise we block & report.
>
> In spec:
>
> The script-hash directive restricts script execution by requiring that
> the hash of a script's contents must appear in the directive in order
> for the script to be executed.  The syntax for the name and value of
> the directive are described by the following ABNF grammar:
>
> directive-name      = "script-hash"
> directive-value     = hash-algorithm ":" hash-list
> hash-list           = *WSP [ hash-value *( 1*WSP hash-value ) *WSP ]
> hash-value          = 1*hash-char *( 1*hash-char )
> hash-char           = ALPHA / DIGIT / "+" / "/" / "="
> hash-algorithm      = "sha1" / "sha256"
>
> If script-hash is NOT specified as a directive:
>
> * The user agent MUST follow script-src behavior or inherited
> default-src behavior for inline scripts.
>
> If script-hash IS specified as a directive
>
> * Whenever the user agent would execute an inline script from a script
> element, the user agent MUST NOT execute the script unless the base64
> (rfc4648) encoding of the digest of the utf-8 encoded script contents
> when hashed with the hash-algorithm specified in the script-hash
> directive matches a base64 hash-value in the list of hash-values.
> User agents should pad the hash-values with '=' as necessary to make
> them valid base64 strings.
> * Whenever the user agent would execute a script from an inline event
> handler, instead the user agent MUST NOT execute the script.
> * Whenever the user agent would execute script contained in a
> javascript URI, instead the user agent MUST NOT execute the script.
> * The content-type HTTP header SHOULD be set.
>
>

Received on Tuesday, 2 July 2013 21:58:14 UTC