- From: Aymeric Vitte <vitteaymeric@gmail.com>
- Date: Fri, 20 Sep 2013 18:21:27 +0200
- To: public-webappsec@w3.org
I tried to use CSP on FF and Chrome with the following use case : http://peersm.com : <style nonce="random">...</style> <img from http://www.peersm.com> <script src="https://peersm.com/script.js" nonce="random"> <script google> script.js : xhr-->decrypt data --> eval(decrypted data) var workerjs='code'; var worker=new Worker(URL.createObjectURL(new Blob([workerjs]))); new WebSocket('ws://xxx:yyy') I ended up with the following CSP rule : head['Content-Security-Policy']= "default-src 'self'; img-src http://www.peersm.com; connect-src http://peersm.com xxx;style-src 'unsafe-inline'; script-src 'unsafe-eval' 'unsafe-inline' https://peersm.com https://www.google.com https://ajax.googleapis.com 'nonce-random';script-nonce random"; Which seems completely insecure... 1- I could not make nonces work even using both syntaxes above, that's why https://peersm.com is in the script-src list and 'unsafe-inline' in style-src, reading at the docs it seems implemented but maybe it's not 2- I added 'unsafe-inline' in script-src since the worker as defined here is maybe assimilated to an inline script but whatever we do CSP blocks the worker 3- It's not clear depending on browsers if you can whitelist a complete url (http://a/b/c/script.js) or not (http://a/b/c) (working on Chrome, not working on FF) I have some doubts while reading the CSP spec, so sorry if the remarks have already been discussed. You might object that I am doing strange things but there are very good reasons for that, for example I can not load directly script.js inside https://peersm.com because FF will refuse to create a non SSL/TLS WebSocket (see https://bugzilla.mozilla.org/show_bug.cgi?id=917829) What I would think natural to have is something like: style-src ('unsafe-inline' only with http://peersm.com/) or 'nonce-random' --> allow unsafe-inline only for a set of urls or use nonces script-src ('unsafe-eval' only with https://peersm.com/script.js) ('unsafe-inline' only with workers) https://www.google.com https://ajax.googleapis.com (https://peersm.com/script.js or 'nonce-random') --> allow unsafe-eval only for a set of urls, whitelist them explicitely or use nonces But as far as I understand the spec this is not possible, correct? Regards Aymeric -- jCore Email : avitte@jcore.fr Peersm : http://www.peersm.com iAnonym : http://www.ianonym.com node-Tor : https://www.github.com/Ayms/node-Tor GitHub : https://www.github.com/Ayms Web : www.jcore.fr Extract Widget Mobile : www.extractwidget.com BlimpMe! : www.blimpme.com
Received on Friday, 20 September 2013 16:22:09 UTC