W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP Transition Tools

From: Neil Matatall <neilm@twitter.com>
Date: Fri, 17 Jan 2014 10:11:00 -0800
Message-ID: <CAOFLtbg3sCCpCsfJuHqRomhnVk1JmdeUWyzDK9k+DJE6aEvBQQ@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Something like this?
http://nmatatal.blogspot.com/2013/09/how-my-script-hash-poc-works.html
This hack worked very, very well for rails apps (that don't use the
javascript_tag helper)

Script Hash Generation

Grab all templates (stuff that turns into html that kinda already
looks like html)
Iterate over each file and:

Grep the code for
/(<script([\s]*(?!src)([\w\-])+=([\"\'])[^\"\']+\4)*[\s]*>)(.*?)(<\/script>)/mx
Take each match (second to last capture group in this case, ruby 1.8
doesn't support named capture groups).
Hash the value with SHA256 and base64 encode the output.

Store the filename and any hashes (e.g. in a YAML file, hash,
associative array, whatever). Key: filename, value: array of hashes.

Script hash application

Hook into the framework so that anytime a template is rendered, we take note.
Once rendering is done, add the hashes (if any) of all rendered
templates to the content security policy.

"Automatic inline script CSP protection"

To hopefully satisfy this claim, here's some steps you'd have to take:

Have a task that watches the filesystem for changes to your templates.
Update the script hashes that are applied to the given template
without having to restart any process.

On Thu, Jan 16, 2014 at 11:58 PM, Yoav Weiss <yoav@yoav.ws> wrote:
> On Wed, Jan 15, 2014 at 10:25 AM, Frederik Braun <fbraun@mozilla.com> wrote:
>>
>> There was a very good bachelor's thesis at the Ruhr University of
>> Bochum, in which the author also wrote a reverse proxy that collects
>> inline items and generates external files for them (using a learning & a
>> production mode).
>>
>> The tool is available at https://github.com/qll/autoCSP, and I can
>> surely find the thesis PDF if this is interesting enough and I start
>> some additional digging ;)
>>
>
> I was thinking about something (very) similar that would integrate into
> current development frameworks (e.g. a Django/RoR app), and would add CSP
> auto-magically. Rather than externalizing inlined scripts (which can cause
> issues, at least in theory), such a plugin could use hashes/nonces to enable
> all the scripts that are present in the initial templates.
>
Received on Friday, 17 January 2014 18:11:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC