W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Remove paths from CSP?

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 26 Feb 2014 09:40:13 -0800
Message-ID: <CALx_OUBqKm4zXeNaFKubc2kaU2yGv2UX2ohFggg1ZTCTTLf8QQ@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: Mike West <mkwst@google.com>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, "Eduardo' Vela" <evn@google.com>
> Let me repeat myself: That an exploit works against many sites, is not a
> valid argument to build that security hole into browsers by default.

It's already built in. In the same way, we designed CORS to
essentially not add new holes, but arguably preserve the existing ones
(which lead to XSRF bugs), since preventing them within CORS alone
would be counterproductive, and fixing them elsewhere would require
fundamental changes to how the web operates.

I think it's a common theme in the design of web security mechanisms,
and while arguably "it's already broken, so we're not making it worse"
is a pretty poor argument, it's often the only viable way to go. On
balance, there is little doubt in my mind that CORS, postMessage,
sandboxed frames, CSP, subresource integrity, per-page suborigins, and
many other similar mechanisms offer net security benefits - even
though they all make substantial trade-offs that carefully tread the
line of "not making it worse".

> Protecting against side channels from image and script loads is trivial
> for web sites which care.

I'm not sure I agree with this?

> My suggestion is that browsers pretend the resource loaded. E.g. CORS
> and XHR have lots of behaviour just like this, where the real state of
> the load attempt is never revealed to the document. Copying such
> features across to CSP hardly seems impossible.

All of them reveal this information; XHR can fail synchronously or
near-instantly, can take few ms indicating cache read, or dozens to
hundreds ms to indicate network load. Timing aside, the fact that a
request is being made can be also inferred by measuring how many
(intentionally slow) requests can be performed in parallel, because
most browsers have per-host request caps to prevent DoS. And that's
just a tip of an iceberg, I think...

/mz
Received on Wednesday, 26 February 2014 17:41:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC