RE: CSP: setAttribute allows eval from string from Hill, Brad on 2011-06-20 (public-web-security@w3.org from June 2011)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 20 Jun 2011 10:47:41 -0600
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB54F6BF038B@DEN-MEXMS-001.corp.ebay.com>

I'd disagree and say that:

1) I'm not ready to conclude that I can already tell what useful and interesting things people might be able to build with CSP, and that all inline script is a hopeless case.

(therefore...)

2) Disabling eval (and other features) in CSP should operate as "deep advice", that is, it should operate on the function itself, regardless of which access path is used for the call.    With ECMA Script 5, we can already do simple things like redefine eval() and set the new function as non-configurable.  What we have trouble doing is enumerating and disabling every possible alias to eval().

Philosophically, a CSP directive gives us a chance to provide advice directly to the scripting engine, before execution starts.  We should use that opportunity to enable things that are easy to do at that layer but are difficult or impossible from within the language itself.

-Brad

From: public-web-security-request@w3.org [mailto:public-web-security-request@w3.org] On Behalf Of Joel Howard Willis Weinberger
Sent: Thursday, June 16, 2011 2:42 PM
To: sird@rckc.at
Cc: Adam Barth; gaz Heyes; Jarred Nicholls; public-web-security@w3.org
Subject: Re: CSP: setAttribute allows eval from string

The theory at least is that even if you allow inline scripts, if you ban eval, that eliminates a class of attacks where an attacker can insert HTML sanitized code that says "eval(...)" (but because it was properly sanitized, they can't insert an inline script).

However, practically speaking, I agree with you, and as Adam said, "supplying unsafe-inline in your CSP policy basically
means you don't care about XSS".
--Joel
On Thu, Jun 16, 2011 at 2:04 PM, sird@rckc.at<mailto:sird@rckc.at> <sird@rckc.at<mailto:sird@rckc.at>> wrote:
What is the rationale behind having 2 options?

inline-script and eval-script

Via inline-script you can simulate an eval-script.

Via eval-script you can simulate an inline-script.

-- Eduardo

On Thu, Jun 16, 2011 at 4:01 PM, Adam Barth <w3c@adambarth.com<mailto:w3c@adambarth.com>> wrote:
> On Thu, Jun 16, 2011 at 12:34 PM, gaz Heyes <gazheyes@gmail.com<mailto:gazheyes@gmail.com>> wrote:
>> On 16 June 2011 18:55, Jarred Nicholls <jarred@sencha.com<mailto:jarred@sencha.com>> wrote:
>>> I'm not following, why would there be a difference in treatment between
>>> DOM access and the parser?
>>
>> Normally string data isn't accepted with an event specified in the DOM. So
>> something like:-
>> document.getElementById('x').onclick=function(){};
>>
>> So I thought since CSP disables eval, setTimeout etc setAttribute should be
>> included because it converts string data into JavaScript code. For example:-
>> document.getElementById('x').setAttribute('onclick','alert(1)');
>>
>> You obviously all don't agree and that's fine
>
> My sense is that supplying unsafe-inline in your CSP policy basically
> means you don't care about XSS, so I'm not that worried about this
> vector.
>
> Adam
>

Received on Monday, 20 June 2011 16:48:12 UTC