W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP Transition Tools

From: qll <qll@iceqll.eu>
Date: Fri, 17 Jan 2014 12:51:31 +0100
Message-ID: <52D91943.5050403@iceqll.eu>
To: Yoav Weiss <yoav@yoav.ws>, Frederik Braun <fbraun@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 17.01.2014 08:58, Yoav Weiss wrote:
> On Wed, Jan 15, 2014 at 10:25 AM, Frederik Braun <fbraun@mozilla.com
> <mailto:fbraun@mozilla.com>> wrote:
>
>     There was a very good bachelor's thesis at the Ruhr University of
>     Bochum, in which the author also wrote a reverse proxy that collects
>     inline items and generates external files for them (using a
>     learning & a
>     production mode).
>
>     The tool is available at https://github.com/qll/autoCSP, and I can
>     surely find the thesis PDF if this is interesting enough and I start
>     some additional digging ;)
>
>  
> I was thinking about something (very) similar that would integrate
> into current development frameworks (e.g. a Django/RoR app), and would
> add CSP auto-magically. Rather than externalizing inlined scripts
> (which can cause issues, at least in theory), such a plugin could use
> hashes/nonces to enable all the scripts that are present in the
> initial templates.
>

Hey Yoav,

You might find the conclusion of my thesis useful. The thesis itself is
linked on the github page now (sorry for the self-promotion). Your
possibilities definitely grow, the more "specific" you get (e.g. build
something for one framework or CMS only). However, keep in mind that
there still are scenarios which will be very hard to fix with a hash or
nonce. What is with eval-like statements? What if the initial templates
output dynamic data into scripts (as can often be seen with CSRF tokens
and similar). There are solutions to the latter problem but rewriting
(or allowing "safe"? How would we know automatically?) eval-like
statements will most likely persist to be a hard problem.

Also: You should be careful with nonces since an injection in front of
an allowed element may steal the nonce with a dangling markup attack
easily (verified with Chrome). If you want to build something like
you've proposed, hashes seem to be the way to go IMO.

Regards,
Nicolas Golubovic
Received on Saturday, 18 January 2014 22:17:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC