- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Thu, 21 Jun 2012 15:09:24 -0700
- To: W3C Web App Security WG <public-webappsec@w3.org>
Comments on Content Security Policy 1.0 Editor's Draft
http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html
The CSPv1.0 spec has markedly improved over the last year+ set of revisions.
Hat tip to AdamB and the working group on that.
Although the list of comments below appears somewhat long, they largely concern
fine-grained aspects of the spec. Overall, I found the spec to be in good shape
-- it is well organized, readable, essentially complete, etc.
I suggest the below comments be appropriately incorporated/resolved prior to
going formally into Last Call.
I hope this helps,
=JeffH
Substantive comments:
---------------------
Overall..
Are there any salient differences between HTML5 and HTML4 resources that
browser implementers will have to code for in terms of implementing CSP policy
enforcement? Other than <applet> ?
Also, the <source> and <track> html5 elements have "src=" attrs, but aren't
mentioned in the CSP spec. should they be mentioned along with <video> and
<audio> wherever the latter occur ?
the spec should probably mention that it applies to today's state of the world,
as described by it and it's normative references, at time of publication. Thus
if someone e.g. invents some new javascript/DOM gizmo that's a possible avenue
for exploitation, and it gets implemented in some web user agents (new stuff is
apparently getting added and "shipped" all the time it seems), the CSP spec,
UAs' CSP implementations, and existing web application CSP policies may not
account for it.
This raises the question of "does the spec accurately and completely specify,
as of Last Call exit time, all the various facets of HTML/DOM/javascript that
are applicable for all the directive enforcement algorithms?" -- it may be good
to get some appropriate experts (who haven't yet been directly involved in CSP)
to do a fine-grained double-check (during Last Call say) just to make sure (?).
All the directive sections effectively contain, after their description of the
ABNF, what I'll term "directive enforcement algorithms", but these aren't
denoted as such. however "3.2.11 report-uri" includes the overall statement
"the user agent must use an algorithm equivalent to the following:" Should
the other directive sections include such a statement (I could go either way).
if not, perhaps it is unnecessary in 3.2.11 ?
within "2. Conformance"..
given that we have the one directive, "sandbox", which is marked as "(optional)"...
3.2.10 sandbox (Optional)
..should the "conformant user agent" definition (perhaps that phrase should be
in <dfn> element?) thus become..
A conformant user agent is one that implements all the requirements
listed in this specification that are applicable to user-agents, and
MAY implement those marked as "(Optional)".
Plus, such a change might have implications for this sentence from 3.2.10
Sandbox...
The sandbox directive is optional. If the user agent does not
support the sandbox attribute, the user agent must ignore every
sandbox directive.
..i.e. perhaps it could be simplified (haven't really thought about it though).
Also, the first sentence is..
As well as sections marked as non-normative, all authoring guidelines,
diagrams, examples, and notes in this specification are non-normative.
..however, there's four occurrences of "Note:" in various places within overall
section 3 that are arguably normative, so perhaps "note" should be dropped from
the above sentence.
within "2.1 Terminology"..
This section, in its five opening paragraphs, defines key concepts (e.g.,
application of security polices to protected resources), not simply
terminology. Perhaps it should be renamed "Key Concepts and Terminology", or
split into two subsections.
This para seems somewhat inaccurate/confusing given terms and notions that are
used elsewhere in the spec..
"A server transmits its security policy for a particular resource as a
collection of directives, such as default-src 'self', each of which controls a
specific set of privileges for a document rendered by the user agent."
a suggested clarification..
"A server transmits its security policy for a particular protected resource
as a collection of directives, such as default-src 'self', each of which
controls a specific set of privileges for that protected resource as
instantiated by the user agent."
this section also states..
"The Augmented Backus-Naur Form (ABNF) notation used in this document
is specified in RFC 5234. [ABNF]"
However, header field ABNF uses "1#policy". The "#rule" is an ABNF extension
defined in RFC2616 HTTP (and in httpbis) and thus should be appropriately
normatively cited.
within "3.1 Policy Delivery"
This section says for both Content-Security-Policy (CSP) and the
Content-Security-Policy-Report-Only (CSPRO) Header Fields that..
"A server may send more than one HTTP header field named ... with a given
resource representation."
However, later in section "3.5 Implementation Considerations" the following is
stated..
"administrators ought to remember that the user agent will enforce only the
first policy statement it receives. To enforce multiple policies, the
administrator must combine the policy into a single header. "
Plus the ABNF for the header fields is..
1#policy
..which indicates that a header field can have a comma-separated list of policies..
Content-Security-Policy: policy, policy, ...
..where..
policy = [ directive *( ";" [ directive ] ) ]
Which all seems to imply that for the aforementioned policy combination (of
multiple occurrences of policies and/or CSP header fields), that they /can/ be
simply combined by forming a single header field with the polices comma
separated. However clarifying how that might work in the context of enforcement
of "the first policy statement it receives" needs to be figured out.
Also, the term "policy statement" occurs only once in the spec in that sentence
above and thus it isn't clear whether a "policy statement" is the value of a
"policy" production, or whether it is the CSP/CSPRO header field value.
The above ought to be sorted out and appropriate language added to section "3.1
Policy", and possibly "3.5 Implementation Considerations", as well as
appropriate cross-references between the two sections.
Additionally, the final paragraph of section 3.1.2 beginning "A server may
monitor one policy while enforcing another policy." should arguably be a
subsection on it's own, i.e. as section 3.1.3.
The spec implies that the CSP/CSPRO header fields are not mutually-exclusive,
but doesn't explicitly state that.
within "3.1.3.2 Source List"...
in <dfn>source expression</dfn> it says...
the set of URIs which are in the same origin as the protected resource
for clarity, "origin" here should be a link back to dfn>origin</dfn> in terminology
in the #matches-a-source-expression algorithm, it declares..
Let scheme, host, and port be the scheme, host, and port of the
URI, respectively
..where the only contextually declared difference between the two different
sets of the scheme, host, and port terms being their display style (italics vs
plain). Thus I found it somewhat difficult to parse the non-trivial
#matches-a-source-expression algorithm text.
I suggest renaming the first set of scheme, host, and port to something like
"uri-scheme, uri-host, and uri-port", and retaining their italicized style
treatment.
within "3.2.2 script-src"..
WRT operator eval, function eval, function Function, setTimeout function,
setInterval function -- they should probably explicitly note they are
javascript constructs and reference the appropriate ecmascript spec
given the language the directive enforcement algorithm employs for
'unsafe-inline' and 'unsafe-eval', i.e. "If <one of them> is not in allowed
script sources..", then given a directive of say..
script-src example.com 'unsafe-inline'
..then the 'unsafe-inline' effectively obviates inline script protection, _but_
eval will be blocked for all sources other than from example.com.
It might be worth it to explain such nuances more explicitly. Perhaps could
expand example 3 (which needs more full explanation anyway wrt the 'unsafe-'
keyword-sources), maybe add an example 4 using script-src and 'unsafe-', and
reference them from the directive sections that mention the 'unsafe-'
keyword-sources.
within "3.2.3 object-src"..
where "nested browsing context" is mentioned ought to reference:
<http://dev.w3.org/html5/spec/single-page.html#nested-browsing-contexts>
("nested browsing context" is also mentioned elsewhere so a centralized defn
might be appropriate)
In the fourth para where it says..
"It is not required that the consumer of the element's data be a plugin
in order for the object-src directive to be enforced. Data for any object,
embed, or applet element must match the allowed object sources in order
to be fetched. This is true even when the element data is semantically
equivalent to content which would be restricted by one of the other
directives, such as an object element with a text/html MIME type."
It isn't clear to me what the implication of the final sentence is -- why does
it matter if the content "would be" restricted by other directives ? Does it
mean I don't need to use the object-src directive in some cases, or that i had
better use all applicable directives, or something else ?
within "3.2.6 media-src"..
should <source> and <track> html5 elements be mentioned here too?
within 3.2.10 sandbox (Optional)
"forced sandboxing flag set" is presently a simple link to the definition in
HTML5 spec of that term. I think also having an explicit citation to [HTML5]
would be helpful for the reader here, perhaps saying something like "Sandboxing
is defined in [HTML5], and link to
<http://dev.w3.org/html5/spec/single-page.html#sandboxing>"
Also, it seems that HTML5 doesn't actually define any explicit profiles of
required flags in a "forced sandboxing flag set", saying only near the end of
step 20 of "5.6.1 Navigating across documents" that
"A resource by default has no flags set in its forced sandboxing flag
set, but other specifications can define that certain flags are set."
So is there an explicit profile of required flags in a "forced sandboxing flag
set" that CSP can reference and user agents can implement? Otherwise it seems
that it will be difficult to be able to implement sandbox enforcement in an
interoperable fashion. Or am I misunderstanding this?
within "3.2.11 report-uri"..
Is a "dictionary" a defined JSON concept? the manner in which the term is used
in this section seems to imply this. if so the concept should be referenced
wherever it's defined.
I find this confusing (until reading to the Note at the very end)..
"Fetch the report URI from origin of the protected resource, with the
synchronous flag not set, using HTTP method POST, with a Content-Type
header field of application/json with an entity body consisting of the
violation report. The user agent must not follow redirects when fetching
this resource. (Note: The user agent ignores the fetched resource.)"
In that we're trying to simply say "send the report to the address given by the
web origin of the protected resource, using HTTP POST method" (yes?)
i.e. the term "Fetch" threw me off, and here it isn't linked to the HTML5
"fetching" algorithm. If in W3C parlance "fetch" is the right thing to use
even here, perhaps parenthetically explain that this will result in "sending"
the report.
unfortunately, it seems the HTML5 spec doesn't, other than form submission
(which is defined it seems such that it's pretty strictly tied to the <form>
element processing), define an algorithm for "sending" arbitrary data, and thus
we have the above tortured use of "fetch" to mean "send" (I suppose this is a
comment on an arguably missing piece in the HTML5 spec?)
within "3.4 Security Considerations"..
The privacy leakage aspects of the violation reports (c.f. the list discussion)
should be noted.
Should provide (informative?) reference(s) for:
resource representation
content injection vulnerabilities
cross-site scripting (XSS)
bookmarklets
plugins -- http://dev.w3.org/html5/spec/single-page.html#plugin
Add to normative references:
CSSOM
DOM ? ("DOM APIs" are mentioned once in "3.2.9 connect-src")
ecmascript -- due to normatively referring to eval et al
Extensible Stylesheet Language Transformations (XSLT)
ecmascript
HTTP -- RFC2616 mentioned in many places, and in ABNF in 3.2.10 sandbox
RFC3986 (URIs) -- is ref'd in ABNF in 3.2.11 report-uri
XML (e.g., for where the spec mentions "XML document")
editorial items:
---------------
overall..
the HTTP spec should be formally referenced. a convenience ref for the
often-occuring "400 HTTP response" would be nice
a direct link for 400 response is
<https://tools.ietf.org/html/rfc2616#section-10.4.1>
the header fields defined in this spec are formally "HTTP response header
fields" and should be designated as such (at least in the first occurrences in
section 3.1)
eg "The server delivers the policy to the user agent via an HTTP response
header" should be "The server delivers the policy to the user agent via an HTTP
response header field."
in terminology, some referenced specs are referred to as "specification",
others are referred to as "standard" -- should pick one for consistency (i vote
for "specification").
the term "document" is used in a few places where it arguably should be
"resource", "resource representation", or "protected resource"
- an occurrence is in "2.1 terminology" and is already corrected above
- two occurrences in "3.3.2 Sample Violation Report"
- an occurrence in "3.4.1 Cascading Style Sheet (CSS) Parsing"
within "1. Introduction"..
"the server need to supply" should be "the server needs to supply"
within "2.1 Terminology"..
[Origin] should point to RFC6454 :) and be added to the Normative References list.
[WEBSOCKET], [EVENTSOURCE] should be added to the Normative References list.
expand "CSS" acronym
within #matches-a-source-expression..
"If the source expression a single U+002A ASTERISK" should be "If the source
expression consists of a single U+002A ASTERISK" ?
"if the URI has the same scheme, host, and port as the resource's URI" should
be "if the URI has the same scheme, host, and port as the protected resource's
URI" ?
within "3.1.4 Processing Model"..
"Generally speaking, enforcing a directive prevent" should be "Generally
speaking, enforcing a directive prevents" ?
"enforcing the policy will break the web application" could be "enforcing the
policy will cause the web application to malfunction"
"Whenever a user agent runs a worker"
Should probably have a formal reference to <http://www.w3.org/TR/workers/> spec.
within "3.2 Directives"..
"In order to protect against Cross-site Scripting (XSS), authors should
include" ..should more clearly be..
"In order to protect against Cross-site Scripting (XSS), web application
authors should include in their CSP policies:"
within "3.2.2 script-src"..
reference for XSLT and "stylesheets" ?
within "3.2.4 style-src"..
CSSOM ? expansion & reference?
within "3.2.7 frame-src"..
html5 has a specific subsection entitled "Navigating nested browsing contexts
in the DOM", perhaps should reference?
within "3.2.11 report-uri"..
"Prepare a dictionary violation dictionary" should be just "Prepare a violation
dictionary" (even though the first occurance of dictionary is plain text and
"violation dictionary" is italics)
Nits:
-----
section "3.1.3 Syntax" should perhaps be "3.1.3 Syntax and Algorithms"
"parse a CSP policy" should be a section (so it shows up in the TOC)
"parse a source list" should be a section (ditto)
"URI matches a source expression" should be a section (ditto)
"URI matches a source list" should be a section (ditto)
---
end
Received on Thursday, 21 June 2012 22:09:56 UTC