W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Content Security Policy 1.1 : script-nonce or script-hash

From: Mountie Lee <mountie@paygate.net>
Date: Wed, 19 Jun 2013 14:45:27 +0900
Message-ID: <CAE-+aYLmhLcEd9+zKETWBovahJgFNN3KUffyS0pKbBZ3ioxZLg@mail.gmail.com>
To: Olivier Jaquemet <olivier.jaquemet@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi.
I think combination use of script-hash and script-nonce.

nonce can be the seed value of hash

Javascript is became the part of internet infrastructure.
the previous role of javascript was giving more user experience.

but now JS is doing more in infrastructure level.

code integrity is important as provisioner.

script-nonce is one of good solution but not enough.
CSP header can be easily removed or altered in the middle of proxy even
under secure connection.

for me
script-hash is better than nonce.

if script-hash is acceptable, also we can consider script-signature (
http://www-archive.mozilla.org/projects/security/components/signed-scripts.html
)

regards
mountie.



On Tue, Jun 18, 2013 at 11:39 PM, Olivier Jaquemet <
olivier.jaquemet@gmail.com> wrote:

> Hi all,
>
> First, my apologies for starting a new thread, I was not yet subscribed to
> the list and could not answer to the original discussion.
>
> Regarding the request for comment on script-nonce or script-hash, if I
> correctly understood the proposal :
> - the scrip-hash would requires that the developer computes the hash of
> its inline script and add it as an attribute so it is checked by the
> browser for script content integrity.
> - the script-nonce is a random generated string sent by the server in the
> HTTP headers and used as attribute of inline script attribute, they are
> verified by the browser before running the script
>
> * scrip-hash pros :
> - simple development without HTTP header modification, nice alternative
> for "simple static site"
>
> * scrip-hash cons :
>  - requires precise computation of the hash, with a common algorithm on
> all side, including every characters, spaces, coma, etc I see this
> requirement as a high probability of malfunction, specially when integrated
> in many network/software layer with html cleanup or content injection (eg
> apache mod_rewrite, whitespace trim in app server, ...)
> - without performing premature optimization, this approach requires two
> computations : 1 the server side, 2 on the client side, to ensure both
> match, maybe this is not the most efficient way as it adds client side
> computation on each request ?
>
> * script-nonce pros :
> - very simple and efficient to generate a random string on each request,
> - cannot be impacted by network/software layer mentioned previously
>
> * scrip-hash cons :
> - no guarantee of the inline script integrity if it was generated from a
> compromised server side content
>
> Of course they could be used altogether for different site target (static
> content vs dynamic).
> But applying the KISS principle, I would not propose both as they would
> add confusion and solve the same problem.
> That said, I certainly have a bias since I mostly work with dynamically
> generated content.
>
> As far as I can see things for now, I am mostly in favor of the
> script-nonce approach, no script-hash.
>
> Regards,
> Olivier
>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Wednesday, 19 June 2013 05:46:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC