Re: script-src requirements from Adam Barth on 2011-03-28 (public-web-security@w3.org from March 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 27 Mar 2011 17:04:51 -0700
To: public-web-security@w3.org
Message-ID: <AANLkTi=xvEDPyme6aH48M54P+Pt7Qq7T4+qAwmS6d48A@mail.gmail.com>

On Sun, Mar 27, 2011 at 4:48 PM, Adam Barth <w3c@adambarth.com> wrote:
> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
> says:
>
> [[
> The script-src directive defines the list of sources that are
> permitted to load external <script> elements.
>
> The origin portion of the src attribute of an external <script>
> element MUST be present in the source list defined by the script-src
> directive in order for the script resource to be requested.
>
> User-agents MUST NOT request script resources from non-approved sources.
> ]]
>
> I'm having trouble understanding what that text means.  What is "the
> origin portion of the src attribute of an external <script> element"?
> For example, is <script src="relative-path.js"></script> banned
> because the src attribute doesn't have an appropriate origin portion?
>
> Does "user-agents MUST NOT request script resources from non-approved
> sources" mean that I'm supposed to enforce these restrictions on each
> hop of the redirect chain or just for the first request?  We should
> spell out the requirements explicitly because that's a likely area for
> implementation confusion (as evidenced by lots of historical screw-ups
> in the area of redirects).

I found this text at the bottom of the spec:

[[
For any protected document, when a request for a sub-document resource
is redirected to another location, whether temporary or permanent, all
locations in the resource's redirect chain, including the initial
location and all subsequent redirected locations, must be permitted by
the protected document's security policy in order for the sub-document
resource to be allowed to load. If any step in the redirect process
violates the protected document's security policy, the request should
be terminated immediately and the load canceled.
]]

It would be helpful if there was some connection between the
requirements for the directives and this text.  For example, you could
define earlier in the spec what it means to restrict a resource load
(and have some text like the above explaining what that means for
redirects) and then when describing the directives, you can refer to
the defined term.

Adam

> IMHO, we should phrase the resource-loading requirements for CSP in
> terms of HTML5's "fetch" apparatus:
>
> http://www.whatwg.org/specs/web-apps/current-work/#fetching-resources
>
> For example, that's how CORS specifies how to handle cross-origin
> XMLHttpRequests:
>
> http://www.w3.org/TR/access-control/

Received on Monday, 28 March 2011 00:06:01 UTC