W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: Problems with referrer and reflected-xss

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 12 Jun 2014 19:54:03 -0600
Message-ID: <CACQ=j+fSw-_oDJV3zK8=AO0gchRWhRwTXh3aZmGeoMmovte5gg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
+1


On Thu, Jun 12, 2014 at 6:12 PM, Brian Smith <brian@briansmith.org> wrote:

> Hi,
>
> I just recently read the proposed specification for CSP referrer at [1]
> and I think it is problematic for several reasons.
>
> First, let's remember what the introduction of the spec says: "This
> document defines Content Security Policy, a mechanism web applications can
> use to mitigate a broad class of content injection vulnerabilities, such as
> cross-site scripting (XSS). Content Security Policy is a declarative policy
> that lets the authors (or server administrators) of a web application
> inform the client about the sources from which the application expects to
> load resources."
>
> I suspect that this introductory text actually needs to be updated since
> CSP does more than just restrict the sources of resource loads. However,
> the intent is still clear: CSP is a mechanism for *adding* limits what the
> content of the page can do. In particular, I think it is dangerous to add
> features to CSP that cause a CSP policy to *remove* limits on what the page
> can do. That is, adding a CSP policy to a page should never make the page
> less safe than if the CSP policy wasn't there. I think this should be
> considered a fundamental design constraint for all CSP features, and
> CSP-like features that violate this constraint should be defined in a
> *different* header field.
>
> However, the CSP referrer mechanism defined in the CSP 1.1 draft does
> violate this constraint, by allowing the CSP policy to specify that more
> referrer information should be leaked than the browser would normally do by
> default.
>
> Instead of determining what the final referrer should be, the CSP referrer
> should instead define the *maximum* amount of information that the referrer
> can contain. For example, if the CSP referrer policy was "origin" then a
> browser would never send more than the origin in a referrer header, but it
> might send less (none), e.g. for HTTPS-to-HTTP navigations. Then,
> "unsafe-url" would never be unsafe and it could be replaced with "default"
> since the effect would be "no change." Similarly, "none-when-downgrade"
> would be equivalent to the default and so it could/should be removed.
>
> There is a similar issue for reflected-xss: allow. This shouldn't be part
> of the Content-Security-Policy header, but rather part of another header.
>
> Again, my point is that that the Content-Security-Policy header should
> only *increase* the security of a page and *never* decrease the security of
> the page. Otherwise, we'll soon need a
> Content-Security-Policy-Security-Policy header to restrict what the
> Content-Security-Policy header can do.
>
> [1]
> https://w3c.github.io/webappsec/specs/content-security-policy/#directive-referrer
>
> Cheers,
> Brian
>
>
Received on Friday, 13 June 2014 01:54:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC