Re: Comment on Content Security Policy 1.1, Draft of Dec 12 2012

Hi Flo, thanks for the feedback. I'll add an example to make the section
more clear.

Regarding the behavior in general, I do think there's room for argument
about the interaction between the two directives. The currently specified
"and" behavior makes sense to me, and seems to have the best security
properties as it asks the developer to explicitly whitelist all possible
sources of script for a page via 'script-src', and then specifically allow
each in a given context via the nonce.

It does seem to be surprising, however. You're certainly not the first to
note that the current behavior doesn't match your expectations.

Changing the directive to more "or"ish behavior would mean that, given a
nonce, script from untrusted origins could be loaded. I don't think there's
a way to exploit that without already having script access to the page, but
I haven't thought about it enough to be sure.

I'm interested in others' opinions. :)

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91



On Wed, Dec 12, 2012 at 4:51 AM, Florian Lasinger <florian@lasinger.org>wrote:

>  @chapter „4.12.2 Interaction with the script-src directive“****
>
> ** **
>
> The document contains one example for the case****
>
> „nonce provided and correct / src not allowed by script-src directive“.***
> *
>
> ** **
>
> There should be an example for the inverse case****
>
> „no nonce provided / src allowed by script-src directive“.****
>
> ** **
>
> As it currently stands, the second case script would be rejected because
> it doesn’t have a nonce.****
>
> Intuitively I would assume the script to be safe because it comes from a
> whitelisted origin.****
>
> ** **
>
> Therefore I would propose to restrict the relevant enforcing rule to only
> script tags with content.****
>
> ** **
>
> ** **
>
> Sincerely,****
>
> Flo****
>
> ** **
>