Content Security Policy 1.1 : script-nonce or script-hash from Olivier Jaquemet on 2013-06-18 (public-webappsec@w3.org from June 2013)

From: Olivier Jaquemet <olivier.jaquemet@gmail.com>
Date: Tue, 18 Jun 2013 16:39:57 +0200
To: public-webappsec@w3.org
Message-ID: <CAHC_=r8UH1Co7H7hTNR9ReHTqnSV7knEJkr-Y8zSQDfE=Gjn_g@mail.gmail.com>

Hi all,

First, my apologies for starting a new thread, I was not yet subscribed to
the list and could not answer to the original discussion.

Regarding the request for comment on script-nonce or script-hash, if I
correctly understood the proposal :
- the scrip-hash would requires that the developer computes the hash of its
inline script and add it as an attribute so it is checked by the browser
for script content integrity.
- the script-nonce is a random generated string sent by the server in the
HTTP headers and used as attribute of inline script attribute, they are
verified by the browser before running the script

* scrip-hash pros :
- simple development without HTTP header modification, nice alternative for
"simple static site"

* scrip-hash cons :
- requires precise computation of the hash, with a common algorithm on all
side, including every characters, spaces, coma, etc I see this requirement
as a high probability of malfunction, specially when integrated in many
network/software layer with html cleanup or content injection (eg apache
mod_rewrite, whitespace trim in app server, ...)
- without performing premature optimization, this approach requires two
computations : 1 the server side, 2 on the client side, to ensure both
match, maybe this is not the most efficient way as it adds client side
computation on each request ?

* script-nonce pros :
- very simple and efficient to generate a random string on each request,
- cannot be impacted by network/software layer mentioned previously

* scrip-hash cons :
- no guarantee of the inline script integrity if it was generated from a
compromised server side content

Of course they could be used altogether for different site target (static
content vs dynamic).
But applying the KISS principle, I would not propose both as they would add
confusion and solve the same problem.
That said, I certainly have a bias since I mostly work with dynamically
generated content.

As far as I can see things for now, I am mostly in favor of the
script-nonce approach, no script-hash.

Regards,
Olivier

Received on Tuesday, 18 June 2013 15:25:40 UTC