- From: <bugzilla@jessica.w3.org>
- Date: Wed, 25 Sep 2013 21:58:31 +0000
- To: public-webappsec@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357 Bug ID: 23357 Summary: Subverting CSP policies for browser add-ons (extensions). Product: WebAppsSec Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: CSP Assignee: w3c@adambarth.com Reporter: glenn@skynav.com QA Contact: dave.null@w3.org CC: mike@w3.org, public-webappsec@w3.org Section 3.3 of CSP 1.1 WD [1] permits the subversion of CSP policies by browser add-ons (extensions), aka "user-supplied scripts" with the following language: "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets." In the case that a browser add-on (extension) has been compromised, e.g., by a privilege escalation vulnerability [2] or a script-injection vulnerability [3], the intended mitigating effects of CSP may be subverted or entirely eliminated. In order to provide Web Applications with protection against such vulnerabilities, one of the following solutions are suggested: (1) Reverse the sense of the above cited specification text, i.e., explicitly require CSP policy to apply to user-supplied scripts such as third party add-ons, etc. (2) Introduce a "user-script" declaration for use with the script-src directive, which, if absent, prevents execution of user-supplied scripts but without generating a report violation; [web app opts-in to enable user script] (3) Introduce a "no-user-script" declaration for use with the script-src directive, which, if present, prevents execution of user-supplied scripts but without generating a report violation; [web app opts-out to disable user script] [1] https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model [2] http://www.eecg.toronto.edu/~ashvin/publications/securing-web-browsers.pdf [3] http://qspace.library.queensu.ca/bitstream/1974/7560/1/Barua_Anton_201209_MSc.pdf -- You are receiving this mail because: You are on the CC list for the bug.
Received on Wednesday, 25 September 2013 21:58:32 UTC