Re: CSP interaction with about:blank and document.open from Brandon Sterne on 2011-03-29 (public-web-security@w3.org from March 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 29 Mar 2011 14:24:49 -0700
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
Message-ID: <4D924E21.7020000@mozilla.com>

This was sure easier when we were just dealing with CSP-over-HTTP :-)

On 03/24/2011 04:26 PM, Adam Barth wrote:
> Sayeth CSP:
> 
> [[
> If a scheme is not specified as part of the source expression, a
> user-agent MUST use the same scheme as the protected document.
> ]]
> 
> Which scheme, precisely, should we use?  For example, suppose we have
> an about:blank document that (somehow) acquires a CSP policy.  Should
> we use "about" as the default scheme?

In Gecko, window.open()ed documents receive the principal, and thus
location, of the opener.  You can verify this using the following test
(which works in Firefox and Safari, but not Chrome for some reason):

var w = window.open("about:blank");
w.document.write("<scr"+"ipt>alert(location.href)</scr"+"ipt>");

So it would follow that if a page calls window.open() and
document.write()s some content and a CSP into the document, then the
user agent would use the document principal to produce the default scheme.

> Suppose we have an about:blank iframe inside a document with a CSP
> policy.  Should the document inside the iframe be bound by the CSP
> policy of the paper frame?  (Same question for data URLs.)

I'm honestly not sure if the document inside the about:blank iframe
should inherit the outer document's CSP, but one possible solution would
be to say no and simply permit the container document to inject a policy
as a <meta> element when it populates the iframe.  This would allow a
site to implement either inherit or don't-inherit behavior for this type
of dynamic iframe.

> Recommendation:
> 
> 1) We should incorporate the CSP policy for a document into the
> security origin state for the document, just as HTML5 does for
> iframe@sandbox.  That means the CSP policy will inherit although with
> the rest of the document's security context (e.g., origin and sandbox
> flags).

I don't know if we want this.  This would eliminate the ability of a CSP
page to create an about:blank or data: iframe/window that doesn't share
the same policy.  I don't know if that is a huge problem, but it does
seem like one we could avoid by having user agents keep track of who
opened each window and inheriting some data from the opener, but not
necessarily the entire security context.

> 2) We should grab the scheme from the origin of the document.

I think you are using "origin" here as I was using "principal" above.

> If the
> document has a security origin that lacks a scheme (e.g., because it's
> been sandboxed), then we ignore source values without an explicit
> scheme (aka, no soup for you).

I totally agree with this.

-Brandon

> Thoughts?
> Adam

Received on Tuesday, 29 March 2011 21:22:42 UTC