Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts from Mike West on 2014-10-14 (public-webappsec@w3.org from October 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 14 Oct 2014 12:55:06 +0200
To: Florian Weber <fweber@rebrush.de>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=f-pv2j3T17iRpMYm=3ePNHJ=HBjew5iaYrZpS94AsCXg@mail.gmail.com>

Nonces should serve this use-case (and they're shipping now in Firefox and
Chrome); if you transfer the nonce to the trusted script (either via GET
parameters, or by simply embedding it on the page in a place the script can
read) then it can inject its own scripts using that token.

For example, given `script-src 'nonce-12345'`, the following could be
effective:

<!-- In index.html -->
<script nonce="12345" src="trusted.js"></script>

// In trusted.js
var nonce = document.querySelector('script').getAttribute('nonce');
document.write('<script nonce="' + nonce + '" src="whatever.js"></script>');

Does that answer your question?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Oct 9, 2014 at 3:33 PM, Florian Weber <fweber@rebrush.de> wrote:

> Hi,
>
>
> > Brad Hill commented: " Should dynamic creation of script elements that
> > match the hash, e.g. with document.write(), be allowed or is the policy
> > only evaluated on the first pass of the input stream preprocessor and new
> > inline script nodes prohibited thereafter? " Proposal: prohibit dynamic
> > addition of inline script blocks. Can anyone think of a reason that it
> > would be problematic to prohibit dynamic addition of inline script blocks?
>
>
> One Problem of disallowing dynamically injected <script> Tags is the usage
> of Tracking and/or Advertising Scripts.
>
>
> If you use a Tag-Management System you would have something like this:
>
> Host requests a script with lots of Parameters.
>
> Depending on these Parameters the TMS will generate a Javascript that
> includes lots of document.write statements.
>
> Some of these document.writes are inline <script>-Tags.
>
>
>
> These will not get executed because they are not trustworthy.
>
>
>
> This could be a big problem for a lot of Sites to adapt CSP properly.
> (without 'unsafe-inline')
> Greeting
> Florian
>
> --
> Google Plus <https://plus.google.com/103885057599472805071/posts>,Twitter
> <http://@fwebdev>
>
>

Received on Tuesday, 14 October 2014 10:55:55 UTC