Re: Content Security Policy from Joel Weinberger on 2013-06-17 (public-webappsec@w3.org from June 2013)

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 17 Jun 2013 10:22:49 -0700
To: Yoav Weiss <yoav@yoav.ws>
Cc: Neil Matatall <neilm@twitter.com>, Евнгений Яременко <w3techplayground@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHQV2KmC=CFYFtUBHkXsB4KN4XyxF0kTf_Fkt0URbZqdMeDysg@mail.gmail.com>

I'm not particularly against, hashes, but I'm naturally hesitant to add
more constructs to CSP, especially since the use of nonces seem to
completely overlap with the use cases for hashes. I think the concern about
nonce abuse as Yoav pointed out are valid concerns, but I'd be hesitant to
add a new construct just to cover that particular concern. Put differently,
I don't see any dramatically different uses for hashes from nonces.
--Joel


On Mon, Jun 17, 2013 at 4:09 AM, Yoav Weiss <yoav@yoav.ws> wrote:

> +1 for discussing it further.
>
> The advantages I see:
> * The author is authorizing a *specific* script/style and can do so using
> static configuration
>   - No need for a dynamic backend that changes the nonce for each request..
>   - This can simplify deployment, resulting in more people using it
> * I'm afraid of authors abusing nonces, sending the same nonce over and
> over as means to "bypass" CSP
>   - Offering an alternative to nonce can reduce that risk
>
> The complications I can think of:
> * Make sure that either hashes don't break with small white-spaces
> removals, text encoding changes, etc.
>   - An alternative is tools that can give authors the resulting hash for a
> specific script/style. (e.g. inside the Web inspector tools). That may be
> more fragile, though.
>
> All in all, I think hashes can make it easier for "copy&paste" authors to
> integrate CSP. They can also make deployment of third party scripts easier.
>
>
> On Sat, Jun 15, 2013 at 8:00 AM, Neil Matatall <neilm@twitter.com> wrote:
>
>> This is the script-hash proposal. I would love it if we discussed this
>> more as it has numerous benefits over a nonce as well as complications :)
>> On Jun 15, 2013 1:11 AM, "Евнгений Яременко" <w3techplayground@gmail.com>
>> wrote:
>>
>>> Is it possible to verify(whitelist) inline script block via checksum of
>>> its logic(uniform) as alternative to "Nonce"?  ie send checksum of the
>>> allowed script via header and if inlined script checksum is the same it's
>>> allowed to execute.
>>>
>>
>

Received on Monday, 17 June 2013 17:23:48 UTC