W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Garrett Robinson <grobinson@mozilla.com>
Date: Fri, 18 Oct 2013 19:39:35 -0700
Message-ID: <5261F0E7.6010402@mozilla.com>
To: public-webappsec@w3.org
On 10/18/2013 04:45 PM, Joel Weinberger wrote:
> I'm currently working on the Chromium implementation of script hashes,
> and I came across a point needing clarification: should script hashes
> apply to src'd scripts as well as inlined ones? One of Neil's comments
> implies only inlined, which is my preference, but I want to make sure
> we're explicit about this.

That would be my preference as well. Since CSP 1.1 has paths, you can
fully specify any external resource and so AFAICT there is no use case
for script-hash on external/src'd scripts.

However, I'd like script-nonce and script-hash to have the same behavior
in this regard. Currently, script-nonce is applied to external
scripts/styles as well, and IIRC Google has a use case for this,
although I don't remember the specifics.

> The problem is if they apply to src'd scripts as well, we (Chromium)
> have a chicken and egg
> problem. We check CSP to see if a resource URL is acceptable
> according to the policy. If not, we do not make the request. However,
> that means
> that if the URL is not acceptable *but* the hash of the script *is*
> acceptable,
> we never see the script, and thus can't override the URL decision.
> 
> This isn't a fundamental limitation of Chromium, but I'm not sure of the
> true
> value of applying script hash to src'd content, and it would mean
> requesting extra resources that CSP otherwise would block. Additionally,
> on a practical level, it would require a heck of a lot of refactoring on
> our end.

This would be nontrivial to implement in Gecko as well.
Received on Saturday, 19 October 2013 02:40:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC