Re: Proposal for script-hash directive in CSP 1.1 from Brad Hill on 2013-07-02 (public-webappsec@w3.org from July 2013)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 2 Jul 2013 15:08:57 -0700
To: Neil Matatall <neilm@twitter.com>
Cc: Nicholas Green <ngreen@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8gVu0FPVK9aLEzn8d3heG1jKVMbThFqEoaAH4eCB3PUPQ@mail.gmail.com>
A good start, but needs a lot more work. My todo list from mid-last month
on this (that might have gotten eaten by DMARC mail policy at my PayPal
account)  was:

 Rather than have a script-hash directive, I would suggest using the RFC
6920 syntax (http://tools.ietf.org/html/rfc6920) as a source expression is
a good fit with the current pattern of using nonces as such.

 Specify which hash algorithms CSP 1.1 would require support for.

 Specify whether and to what extent truncation is allowed.

 Specify what to do with the content-type attribute of ni: URIs if we allow
this to be used for non-inline content... or should this be used to
determine the type (css, js, vbs, etc..) of the inline resource?

 Specify an algorithm to exactly determine the bytes-to-be-hashed in a
reliable and cross-browser manner.  I would suggest that this should be
defined in terms of the HTML5 parsing algorithm, with some restrictions
such as requiring any resource employing hash sources declare an explicit
encoding. (but not just utf8)

 *shudder* Is canonicalization necessary?  I hope not.

 Think about and determine what needs to be covered by the
bytes-to-be-hashed:

   - should attributes of the script tag be included?  (e.g. whether it is
javascript, vbscript, ruby or json?)

 Specify algorithm agility behavior

   - what to do if a policy specifies only SHA4 hashes and a user agent
doesn't understand SHA4?  fail?  fallback to unsafe-inline?

   - possibly: if a policy specifies SHA1 and SHA3 hashes of the same
content what should user agent behavior be?  allow all as valid?  only
trust the strongest hashes it understands how to process in a given policy
string?  In the composite policy?



-Brad


On Tue, Jul 2, 2013 at 2:57 PM, Neil Matatall <neilm@twitter.com> wrote:

> Per the conversation in today's call where we were looking for a
> script-hash spec proposal. Were there objections to this? Good
> starting point?
>
> On Wed, Feb 13, 2013 at 2:12 PM, Nicholas Green <ngreen@twitter.com>
> wrote:
> > In English:
> >
> > The contents of every script tag will be encoded to utf-8 then hashed,
> > including all leading and trailing whitespace.  We hash the contents
> > of each script tag with the hashing algorithm specified in the
> > script-hash directive.  If the calculated hash's base64 encoding
> > matches the base64 encoding of a hash value listed in the CSP header,
> > we execute the script.  Otherwise we block & report.
> >
> > In spec:
> >
> > The script-hash directive restricts script execution by requiring that
> > the hash of a script's contents must appear in the directive in order
> > for the script to be executed.  The syntax for the name and value of
> > the directive are described by the following ABNF grammar:
> >
> > directive-name      = "script-hash"
> > directive-value     = hash-algorithm ":" hash-list
> > hash-list           = *WSP [ hash-value *( 1*WSP hash-value ) *WSP ]
> > hash-value          = 1*hash-char *( 1*hash-char )
> > hash-char           = ALPHA / DIGIT / "+" / "/" / "="
> > hash-algorithm      = "sha1" / "sha256"
> >
> > If script-hash is NOT specified as a directive:
> >
> > * The user agent MUST follow script-src behavior or inherited
> > default-src behavior for inline scripts.
> >
> > If script-hash IS specified as a directive
> >
> > * Whenever the user agent would execute an inline script from a script
> > element, the user agent MUST NOT execute the script unless the base64
> > (rfc4648) encoding of the digest of the utf-8 encoded script contents
> > when hashed with the hash-algorithm specified in the script-hash
> > directive matches a base64 hash-value in the list of hash-values.
> > User agents should pad the hash-values with '=' as necessary to make
> > them valid base64 strings.
> > * Whenever the user agent would execute a script from an inline event
> > handler, instead the user agent MUST NOT execute the script.
> > * Whenever the user agent would execute script contained in a
> > javascript URI, instead the user agent MUST NOT execute the script.
> > * The content-type HTTP header SHOULD be set.
> >
> >
>
>
Received on Tuesday, 2 July 2013 22:09:25 UTC