W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Mike West <mkwst@google.com>
Date: Fri, 10 Jan 2014 10:18:37 +0100
Message-ID: <CAKXHy=eH2LRj76MiW3cLOVbUFrEJ52L4-3hZ9Tdg84Yhe+Q3hA@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Pete Freitag <pete@foundeo.com>
I think the nonce makes it clear that the script tag was added by the
author, rather than maliciously injected. That should give us enough trust
in the author's intent to bypass the origin check, assuming the integrity
check hits the cache.

The risk there would be that an attacker could inject an integrity
attribute into a script tag. I think that's unlikely enough for us to
consider the risk minimal.

I also like Michal's approach, but I'm very worried about bloating the CSP
header to the point where it outweighs the content it's protecting. Chrome
has some sort of reasonable limit on header size (I have 16k in my head,
but I've no idea if that's accurate)... how soon will we be hitting that? :)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Fri, Jan 10, 2014 at 10:13 AM, Frederik Braun <fbraun@mozilla.com> wrote:

> On 10.01.2014 10:01, Mike West wrote:
> > ..
> > 3. A manual opt-in solution might be reasonable, however. One of the
> > following approaches might make sense:
> >
> >     1. We could add an 'unsafe-integrity' source expression to CSP's
> > grammar.
> >     2. We could look at the integrity-based cache only if a nonce was
> > applied to the script.
> >     3. We could take Michal's approach, and whitelist external hashes.
> >     4. Moar ideas?
> >
> > WDYT?
> >
>
> Opt-in sounds preferable. I find Michal's approach more elegant, but am
> not overly opposed to the second either.
>
>
Received on Friday, 10 January 2014 09:19:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC