W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Neil Matatall <neilm@twitter.com>
Date: Fri, 18 Oct 2013 17:47:01 -0700
Message-ID: <CAOFLtbhdPGPRUWtfy-6akaFjASxCqxNXev_N04BZBRQVNEru-g@mail.gmail.com>
To: Glenn Adams <glenn@skynav.com>
Cc: Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
The proposal was only meant to apply to inline resources, but I don't
want that to stop the discussion :)

> However, that means that if the URL is not acceptable *but* the hash of the script *is* acceptable, we never see the script, and thus can't override the URL decision.

I think that's fine. The way I see it, the host-source determines
whether a resource should be fetched and the hash verifies the
integrity of the content executing (which seems extensible).

> but I'm not sure of the true value of applying script hash to src'd content

It's been discussed, especially when the code is hosted by a 3rd party
(when self-hosting is not an option). Tanvi?

> it would mean requesting extra resources that CSP otherwise would block

I think this is OK too. An unnecessary load indicates a bug or an
injection. This information would be surfaced by the CSP reports.
Also, this would keep it compatible with how script-nonce would act if
it were applied to src'd scripts.

On Fri, Oct 18, 2013 at 5:20 PM, Glenn Adams <glenn@skynav.com> wrote:
>
> On Fri, Oct 18, 2013 at 5:45 PM, Joel Weinberger <jww@chromium.org> wrote:
>>
>> I'm currently working on the Chromium implementation of script hashes, and
>> I came across a point needing clarification: should script hashes apply to
>> src'd scripts as well as inlined ones? One of Neil's comments implies only
>> inlined, which is my preference, but I want to make sure we're explicit
>> about this.
>>
>> The problem is if they apply to src'd scripts as well, we (Chromium) have
>> a chicken and egg
>> problem. We check CSP to see if a resource URL is acceptable
>> according to the policy. If not, we do not make the request. However, that
>> means
>> that if the URL is not acceptable *but* the hash of the script *is*
>> acceptable,
>> we never see the script, and thus can't override the URL decision.
>
>
> Are you referring to CSP's script nonces? If so, then the spec doesn't seem
> to distinguish inline from sourced scripts, and also doesn't treat a nonce
> as a hash to be verified.
>
> "Note that the nonce's value is not a hash or signature that verifies the
> contents of the script resources. It's quite simply a random string that
> informs the user agent which scripts were intentionally included in the
> page.
>
> Script elements with the proper nonce execute, regardless of whether they're
> inline or external. Script elements without the proper nonce don't execute
> unless their URLs are whitelisted. Even if an attacker is able to inject
> markup into the protected resource, the attack will be blocked by the
> attacker's inability to guess the random value."
>
>
>>
>>
>> This isn't a fundamental limitation of Chromium, but I'm not sure of the
>> true
>> value of applying script hash to src'd content, and it would mean
>> requesting extra resources that CSP otherwise would block. Additionally, on
>> a practical level, it would require a heck of a lot of refactoring on our
>> end.
>>
>> Whatever our decision, I'm working on a more formal spec write to clarify
>> some of the ins and outs and what-have-yous that I've come across during
>> implementation. Obviously, whatever the consensus here is will be a part of
>> that.
>> --Joel
>
>
Received on Saturday, 19 October 2013 00:47:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC