W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Sandeep Kamble <sandeepk.l337@gmail.com>
Date: Fri, 10 Jan 2014 17:27:54 +0530
Message-ID: <CALq7B37eAeWE=71aejzYX--XVAf8qSyQ8cdK5FXRegwu0oOL=A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Pete Freitag <pete@foundeo.com>
nice ,

<script src="https://code.jquery.com/jquery-1.10.2.min.js"
integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=text/javascript
*&o=**">

<script src="https://code.jquery.com/jquery-1.10.2.min.js"
integrity="ni:///sha-256;C6CB9UYIS9UJeqinPHWTHVqh_E1uhG5Twh-Y5qFQmYg?ct=text/javascript*&o=ajax.googleapis.com
<http://ajax.googleapis.com>+cdnjs.cloudflare.com
<http://cdnjs.cloudflare.com>+code.jquery.com <http://code.jquery.com>*">

Okay here come one stupid question. What does the integrity attribute do?


On Fri, Jan 10, 2014 at 2:48 PM, Mike West <mkwst@google.com> wrote:

> I think the nonce makes it clear that the script tag was added by the
> author, rather than maliciously injected. That should give us enough trust
> in the author's intent to bypass the origin check, assuming the integrity
> check hits the cache.
>
> The risk there would be that an attacker could inject an integrity
> attribute into a script tag. I think that's unlikely enough for us to
> consider the risk minimal.
>
> I also like Michal's approach, but I'm very worried about bloating the CSP
> header to the point where it outweighs the content it's protecting. Chrome
> has some sort of reasonable limit on header size (I have 16k in my head,
> but I've no idea if that's accurate)... how soon will we be hitting that? :)
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Fri, Jan 10, 2014 at 10:13 AM, Frederik Braun <fbraun@mozilla.com>wrote:
>
>> On 10.01.2014 10:01, Mike West wrote:
>> > ..
>> > 3. A manual opt-in solution might be reasonable, however. One of the
>> > following approaches might make sense:
>> >
>> >     1. We could add an 'unsafe-integrity' source expression to CSP's
>> > grammar.
>> >     2. We could look at the integrity-based cache only if a nonce was
>> > applied to the script.
>> >     3. We could take Michal's approach, and whitelist external hashes.
>> >     4. Moar ideas?
>> >
>> > WDYT?
>> >
>>
>> Opt-in sounds preferable. I find Michal's approach more elegant, but am
>> not overly opposed to the second either.
>>
>>
>
Received on Friday, 10 January 2014 16:38:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC