W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: Remove paths from CSP?

From: Mike West <mkwst@google.com>
Date: Tue, 20 May 2014 15:17:57 +0200
Message-ID: <CAKXHy=ckPMc736AgzzP18mWERszfMPMHGQT8=tow62JWMELZNg@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: Joel Weinberger <jww@chromium.org>, "Oda, Terri" <terri.oda@intel.com>, Michal Zalewski <lcamtuf@coredump.cx>, Dan Veditz <dveditz@mozilla.com>, Egor Homakov <homakov@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "Eduardo' Vela" <evn@google.com>
On Tue, May 20, 2014 at 2:55 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:

> For the sake of playing the devil's advocate, why limit ourselves to
>
HTTP redirects? Certainly meta http-equiv redirects should be treated
> the same way. What about various JS redirects? Both the algorithm and
> the discussion should probably use the same language, to make it
> explicitly clear what is being considered. (Currently algorithm says
> "HTTP redirect" and discussion says "redirect".)
>

Meta redirects wouldn't effect subresource loads. They'd only effect full
navigations that created a document context in which the <meta> tag was
parsed and executed. That wouldn't happen for the vast majority of things
that CSP covers (images, for instance). `frame-src` is the only directive I
can think of where <meta>-based refreshes would have an impact, and I think
they'd be covered by the navigation bits in the `frame-src` directive.

We've talked about adding a directive to control things like meta-based
redirects, but there's a bit more to think about in terms of what we'd like
to offer to authors with regard to control over navigation in general. It's
not something I think we can squeeze into 1.1, but we'd like to circle back
to it for 1.2.

For the record, I am still opposed to this solution. I'll quickly recap
> my objections against it:
>

This is helpful, thank you for reiterating your critique so concisely!


> * It doesn't resolve redirection login detection, which may add a new
> security hole to previously secure sites, one against which sites cannot
> protect themselves.
>

I disagree that this is a unique consequence of CSP's behavior (as we've
discussed at length), but I do agree that CSP makes this detection for
those sites that do cross-origin easier than it is now.

* It thus adds an unfixable security issue for the foreseeable future
> for all web sites. This might theoretically hinder the web moving
> forwards in the future.
>

For the subset of all websites that do cross-origin login (e.g. google.com->
accounts.google.com).


> * It doesn't fully support the path construct (doesn't work after
> redirects).
>

True. Do you have a suggestion to avoid this limitation?


> * It is confusing and complex for webmasters (and as they vastly
> outnumber browser developers, it is the most confusing and complex
> solution overall).
>

Is it? The rule sounds simple: "The path component of a source expression
always matches after a redirect." I agree with you that it adds some
marginal complexity to CSP, but let's not kid ourselves: CSP is already
horrendous.


> * It provides a false sense of security to webmasters. A webmaster might
> accidentally open a hole when trying to tighten security, or an
> unrelated change elsewhere (e.g. changes to use a redirect) might render
> a site insecure.
>

At worst, the protection offered to developers and users is exactly the CSP
1.0, origin-based protection that Opera is providing right now. I think
that's a pretty good baseline, honestly.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 20 May 2014 13:18:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC