W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Comments on Content Security Policy 1.0 Editor's Draft

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Thu, 21 Jun 2012 15:09:24 -0700
Message-ID: <4FE39B94.8010902@KingsMountain.com>
To: W3C Web App Security WG <public-webappsec@w3.org>
Comments on Content Security Policy 1.0 Editor's Draft

The CSPv1.0 spec has markedly improved over the last year+ set of revisions. 
Hat tip to AdamB and the working group on that.

Although the list of comments below appears somewhat long, they largely concern 
fine-grained aspects of the spec. Overall, I found the spec to be in good shape 
-- it is well organized, readable, essentially complete, etc.

I suggest the below comments be appropriately incorporated/resolved prior to 
going formally into Last Call.

I hope this helps,


Substantive comments:


Are there any salient differences between HTML5 and HTML4 resources that 
browser implementers will have to code for in terms of implementing CSP policy 
enforcement?  Other than <applet> ?

Also, the <source> and <track> html5 elements have "src=" attrs, but aren't
mentioned in the CSP spec.  should they be mentioned along with <video> and 
<audio> wherever the latter occur ?

the spec should probably mention that it applies to today's state of the world, 
as described by it and it's normative references, at time of publication. Thus 
if someone e.g. invents some new javascript/DOM gizmo that's a possible avenue 
for exploitation, and it gets implemented in some web user agents (new stuff is 
apparently getting added and "shipped" all the time it seems), the CSP spec, 
UAs' CSP implementations, and existing web application CSP policies may not 
account for it.

This raises the question of "does the spec accurately and completely specify, 
as of Last Call exit time, all the various facets of HTML/DOM/javascript that 
are applicable for all the directive enforcement algorithms?" -- it may be good 
to get some appropriate experts (who haven't yet been directly involved in CSP) 
to do a fine-grained double-check (during Last Call say) just to make sure (?).

All the directive sections effectively contain, after their description of the 
ABNF, what I'll term "directive enforcement algorithms", but these aren't 
denoted as such. however "3.2.11 report-uri" includes the overall statement 
"the user agent must use an algorithm equivalent to the following:"   Should 
the other directive sections include such a statement (I could go either way). 
if not, perhaps it is unnecessary in 3.2.11 ?

within "2. Conformance"..

given that we have the one directive, "sandbox", which is marked as "(optional)"...

   3.2.10 sandbox (Optional)

..should the "conformant user agent" definition (perhaps that phrase should be 
in <dfn> element?) thus become..

   A conformant user agent is one that implements all the requirements
   listed in this specification that are applicable to user-agents, and
   MAY implement those marked as "(Optional)".

Plus, such a change might have implications for this sentence from 3.2.10 

   The sandbox directive is optional. If the user agent does not
   support the sandbox attribute, the user agent must ignore every
   sandbox directive.

..i.e. perhaps it could be simplified (haven't really thought about it though).

Also, the first sentence is..

   As well as sections marked as non-normative, all authoring guidelines,
   diagrams, examples, and notes in this specification are non-normative.

..however, there's four occurrences of "Note:" in various places within overall 
section 3 that are arguably normative, so perhaps "note" should be dropped from 
the above sentence.

within "2.1 Terminology"..

This section, in its five opening paragraphs, defines key concepts (e.g., 
application of security polices to protected resources), not simply 
terminology. Perhaps it should be renamed "Key Concepts and Terminology", or 
split into two subsections.

This para seems somewhat inaccurate/confusing given terms and notions that are 
used elsewhere in the spec..

    "A server transmits its security policy for a particular resource as a 
collection of directives, such as default-src 'self', each of which controls a 
specific set of privileges for a document rendered by the user agent."

   a suggested clarification..

   "A server transmits its security policy for a particular protected resource 
as a collection of directives, such as default-src 'self', each of which 
controls a specific set of privileges for that protected resource as 
instantiated by the user agent."

this section also states..

   "The Augmented Backus-Naur Form (ABNF) notation used in this document
    is specified in RFC 5234. [ABNF]"

However, header field ABNF uses "1#policy". The "#rule" is an ABNF extension 
defined in RFC2616 HTTP (and in httpbis) and thus should be appropriately 
normatively cited.

within "3.1 Policy Delivery"

This section says for both Content-Security-Policy (CSP) and the 
Content-Security-Policy-Report-Only (CSPRO) Header Fields that..

   "A server may send more than one HTTP header field named ... with a given 
resource representation."

However, later in section "3.5 Implementation Considerations" the following is 

   "administrators ought to remember that the user agent will enforce only the 
first policy statement it receives. To enforce multiple policies, the 
administrator must combine the policy into a single header. "

Plus the ABNF for the header fields is..


..which indicates that a header field can have a comma-separated list of policies..

   Content-Security-Policy: policy, policy, ...


   policy            = [ directive *( ";" [ directive ] ) ]

Which all seems to imply that for the aforementioned policy combination (of 
multiple occurrences of policies and/or CSP header fields), that they /can/ be 
simply combined by forming a single header field with the polices comma 
separated. However clarifying how that might work in the context of enforcement 
of "the first policy statement it receives" needs to be figured out.

Also, the term "policy statement" occurs only once in the spec in that sentence 
above and thus it isn't clear whether a "policy statement" is the value of a 
"policy" production, or whether it is the CSP/CSPRO header field value.

The above ought to be sorted out and appropriate language added to section "3.1 
Policy", and possibly "3.5 Implementation Considerations", as well as 
appropriate cross-references between the two sections.

Additionally, the final paragraph of section 3.1.2 beginning "A server may 
monitor one policy while enforcing another policy." should arguably be a 
subsection on it's own, i.e. as section 3.1.3.

The spec implies that the CSP/CSPRO header fields are not mutually-exclusive, 
but doesn't explicitly state that.

within " Source List"...

in <dfn>source expression</dfn> it says...

   the set of URIs which are in the same origin as the protected resource

for clarity, "origin" here should be a link back to dfn>origin</dfn> in terminology

in the #matches-a-source-expression algorithm, it declares..

   Let scheme, host, and port be the scheme, host, and port of the
   URI, respectively

..where the only contextually declared difference between the two different 
sets of the scheme, host, and port terms being their display style (italics vs 
plain). Thus I found it somewhat difficult to parse the non-trivial 
#matches-a-source-expression algorithm text.

I suggest renaming the first set of scheme, host, and port to something like 
"uri-scheme, uri-host, and uri-port", and retaining their italicized style 

within "3.2.2 script-src"..

WRT operator eval, function eval, function Function, setTimeout function, 
setInterval function -- they should probably explicitly note they are 
javascript constructs and reference the appropriate ecmascript spec

given the language the directive enforcement algorithm employs for 
'unsafe-inline' and 'unsafe-eval', i.e. "If <one of them> is not in allowed 
script sources..", then given a directive of say..

   script-src example.com 'unsafe-inline'

..then the 'unsafe-inline' effectively obviates inline script protection, _but_ 
eval will be blocked for all sources other than from example.com.

It might be worth it to explain such nuances more explicitly. Perhaps could 
expand example 3 (which needs more full explanation anyway wrt the 'unsafe-' 
keyword-sources), maybe add an example 4 using script-src and 'unsafe-', and 
reference them from the directive sections that mention the 'unsafe-' 

within "3.2.3 object-src"..

where "nested browsing context" is mentioned ought to reference:
("nested browsing context" is also mentioned elsewhere so a centralized defn 
might be appropriate)

In the fourth para where it says..

   "It is not required that the consumer of the element's data be a plugin
    in order for the object-src directive to be enforced. Data for any object,
    embed, or applet element must match the allowed object sources in order
    to be fetched. This is true even when the element data is semantically
    equivalent to content which would be restricted by one of the other
    directives, such as an object element with a text/html MIME type."

It isn't clear to me what the implication of the final sentence is -- why does 
it matter if the content "would be" restricted by other directives ?  Does it 
mean I don't need to use the object-src directive in some cases, or that i had 
better use all applicable directives, or something else ?

within "3.2.6 media-src"..

should <source> and <track> html5 elements be mentioned here too?

within 3.2.10 sandbox (Optional)

"forced sandboxing flag set" is presently a simple link to the definition in 
HTML5 spec of that term. I think also having an explicit citation to [HTML5] 
would be helpful for the reader here, perhaps saying something like "Sandboxing 
is defined in [HTML5], and link to 

Also, it seems that HTML5 doesn't actually define any explicit profiles of 
required flags in a "forced sandboxing flag set", saying only near the end of 
step 20 of "5.6.1 Navigating across documents" that

    "A resource by default has no flags set in its forced sandboxing flag
     set, but other specifications can define that certain flags are set."

So is there an explicit profile of required flags in a "forced sandboxing flag 
set" that CSP can reference and user agents can implement?  Otherwise it seems 
that it will be difficult to be able to implement sandbox enforcement in an 
interoperable fashion.  Or am I misunderstanding this?

within "3.2.11 report-uri"..

Is a "dictionary" a defined JSON concept? the manner in which the term is used 
in this section seems to imply this. if so the concept should be referenced 
wherever it's defined.

I find this confusing (until reading to the Note at the very end)..

   "Fetch the report URI from origin of the protected resource, with the
    synchronous flag not set, using HTTP method POST, with a Content-Type
    header field of application/json with an entity body consisting of the
    violation report. The user agent must not follow redirects when fetching
    this resource. (Note: The user agent ignores the fetched resource.)"

In that we're trying to simply say "send the report to the address given by the 
web origin of the protected resource, using HTTP POST method" (yes?)

i.e. the term "Fetch" threw me off, and here it isn't linked to the HTML5 
"fetching" algorithm.  If in W3C parlance "fetch" is the right thing to use 
even here, perhaps parenthetically explain that this will result in "sending" 
the report.

unfortunately, it seems the HTML5 spec doesn't, other than form submission 
(which is defined it seems such that it's pretty strictly tied to the <form> 
element processing), define an algorithm for "sending" arbitrary data, and thus 
we have the above tortured use of "fetch" to mean "send"  (I suppose this is a 
comment on an arguably missing piece in the HTML5 spec?)

within "3.4 Security Considerations"..

The privacy leakage aspects of the violation reports (c.f. the list discussion) 
should be noted.

Should provide (informative?) reference(s) for:

resource representation

content injection vulnerabilities

cross-site scripting (XSS)


plugins  -- http://dev.w3.org/html5/spec/single-page.html#plugin

Add to normative references:


DOM ?  ("DOM APIs" are mentioned once in "3.2.9 connect-src")

ecmascript  -- due to normatively referring to eval et al

Extensible Stylesheet Language Transformations (XSLT)


HTTP  -- RFC2616 mentioned in many places, and in ABNF in 3.2.10 sandbox

RFC3986 (URIs) -- is ref'd in ABNF in 3.2.11 report-uri

XML (e.g., for where the spec mentions "XML document")

editorial items:


the HTTP spec should be formally referenced. a convenience ref for the 
often-occuring "400 HTTP response" would be nice
a direct link for 400 response is 

the header fields defined in this spec are formally "HTTP response header 
fields" and should be designated as such (at least in the first occurrences in 
section 3.1)

eg "The server delivers the policy to the user agent via an HTTP response 
header" should be "The server delivers the policy to the user agent via an HTTP 
response header field."

in terminology, some referenced specs are referred to as "specification", 
others are referred to as "standard" -- should pick one for consistency (i vote 
for "specification").

the term "document" is used in a few places where it arguably should be 
"resource", "resource representation", or "protected resource"
  - an occurrence is in "2.1 terminology" and is already corrected above
  - two occurrences in "3.3.2 Sample Violation Report"
  - an occurrence in "3.4.1 Cascading Style Sheet (CSS) Parsing"

within "1. Introduction"..

"the server need to supply" should be "the server needs to supply"

within "2.1 Terminology"..

[Origin] should point to RFC6454 :)  and be added to the Normative References list.

[WEBSOCKET], [EVENTSOURCE] should be added to the Normative References list.

expand "CSS" acronym

within #matches-a-source-expression..

"If the source expression a single U+002A ASTERISK"  should be "If the source 
expression consists of a single U+002A ASTERISK" ?

"if the URI has the same scheme, host, and port as the resource's URI" should 
be "if the URI has the same scheme, host, and port as the protected resource's 
URI" ?

within "3.1.4 Processing Model"..

"Generally speaking, enforcing a directive prevent"  should be "Generally 
speaking, enforcing a directive prevents" ?

"enforcing the policy will break the web application"  could be "enforcing the 
policy will cause the web application to malfunction"

"Whenever a user agent runs a worker"
Should probably have a formal reference to <http://www.w3.org/TR/workers/> spec.

within "3.2 Directives"..

"In order to protect against Cross-site Scripting (XSS), authors should 
include"    ..should more clearly be..

"In order to protect against Cross-site Scripting (XSS), web application 
authors should include in their CSP policies:"

within "3.2.2 script-src"..

reference for XSLT and "stylesheets" ?

within "3.2.4 style-src"..

CSSOM ?  expansion & reference?

within "3.2.7 frame-src"..

html5 has a specific subsection entitled "Navigating nested browsing contexts 
in the DOM", perhaps should reference?

within "3.2.11 report-uri"..

"Prepare a dictionary violation dictionary" should be just "Prepare a violation 
dictionary" (even though the first occurance of dictionary is plain text and 
"violation dictionary" is italics)


section "3.1.3 Syntax" should perhaps be "3.1.3 Syntax and Algorithms"

"parse a CSP policy" should be a section (so it shows up in the TOC)

"parse a source list" should be a section (ditto)

"URI matches a source expression" should be a section (ditto)

"URI matches a source list" should be a section (ditto)

Received on Thursday, 21 June 2012 22:09:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC