W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: Content-Security-Policy and dynamically added meta elements

From: Mike West <mkwst@google.com>
Date: Sat, 29 Dec 2012 10:53:24 +0100
Message-ID: <CAKXHy=czuoBKn+QqiK8Mcj075Z_MWr1ErYz4HOdx3S48V=NeuA@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Dec 28, 2012 at 12:29 PM, Yoav Weiss <yoav@yoav.ws> wrote:

> For example, for a site that enables inline-scripts but restricts its
> allowed hosts using `default-src`, a user-generated malicious inline script
> that is part of the page’s HTML can steal session cookies, but cannot send
> them to a malicious host. Allowing that script (that runs before the
> domReady is in interactive mode) to modify the CSP directives by dynamically
> adding a `connect-src` directive, will enable the attacker to send the
> stolen cookie data to the malicious host.

If more than one policy is present (because two
`Content-Security-Policy` headers were delivered, for instance), each
is enforced. This means that the malicious inline script in your
example would be able to inject a new policy that included
`connect-src`, but that any connection would have to be allowed by
_both_ the new and existing policies.

It shouldn't be possible to loosen an existing policy via header or
meta tag injection, only to tighten the page's effective policy by
adding additional restrictions.

Note also that 3.1.3 is very much still in flux. The rules outlined
there don't reflect WebKit's current implementation, and some of the
important questions are still up in the air. Feedback on the use-cases
surrounding the meta tag are very welcome. :)

> What is the benefit from allowing dynamically added CSP directives?
> Wouldn’t it be safer to restrict them altogether?

The use case that's clearest to me is an application that "boots" with
some loose (or non-existent) policy, and then locks itself down once
it's finished doing dangerous things by injecting a meta tag.

The meta tag also allows users who don't have control over a page's
HTTP headers (shared hosting, etc) to use CSP to lower their risk of

Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Saturday, 29 December 2012 09:54:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC