[Bug 23357] New: Subverting CSP policies for browser add-ons (extensions). from bugzilla@jessica.w3.org on 2013-09-25 (public-webappsec@w3.org from September 2013)

From: <bugzilla@jessica.w3.org>
Date: Wed, 25 Sep 2013 21:58:31 +0000
To: public-webappsec@w3.org
Message-ID: <bug-23357-4874@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357

            Bug ID: 23357
           Summary: Subverting CSP policies for browser add-ons
                    (extensions).
           Product: WebAppsSec
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: CSP
          Assignee: w3c@adambarth.com
          Reporter: glenn@skynav.com
        QA Contact: dave.null@w3.org
                CC: mike@w3.org, public-webappsec@w3.org

Section 3.3 of CSP 1.1 WD [1] permits the subversion of CSP policies by browser
add-ons (extensions), aka "user-supplied scripts" with the following language:

"Enforcing a CSP policy should not interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and JavaScript
bookmarklets."

In the case that a browser add-on (extension) has been compromised, e.g., by a
privilege escalation vulnerability [2] or a script-injection vulnerability [3],
the intended mitigating effects of CSP may be subverted or entirely eliminated.

In order to provide Web Applications with protection against such
vulnerabilities, one of the following solutions are suggested:

(1) Reverse the sense of the above cited specification text, i.e., explicitly
require CSP policy to apply to user-supplied scripts such as third party
add-ons, etc.

(2) Introduce a "user-script" declaration for use with the script-src
directive, which, if absent, prevents execution of user-supplied scripts but
without generating a report violation; [web app opts-in to enable user script]

(3) Introduce a "no-user-script" declaration for use with the script-src
directive, which, if present, prevents execution of user-supplied scripts but
without generating a report violation; [web app opts-out to disable user
script]

[1]
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model
[2] http://www.eecg.toronto.edu/~ashvin/publications/securing-web-browsers.pdf
[3]
http://qspace.library.queensu.ca/bitstream/1974/7560/1/Barua_Anton_201209_MSc.pdf

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Wednesday, 25 September 2013 21:58:32 UTC