W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Florian Weber <fweber@rebrush.de>
Date: Thu, 23 Oct 2014 21:46:25 +0200
Message-ID: <CABHFno2kGAxA1=T4Eo=BBdDfuQZ1C+e141gUYtcb+j6Zq2yV3w@mail.gmail.com>
To: Sean Snider <ssnider@yahoo-inc.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Pew.... So I guess my Idea was not that good.
But now I have a good feeling because I know why CSP is working like it is
at that point.


Thanks guys for making the Web safer :)

Greetings
Florian

2014-10-23 7:33 GMT+02:00 Sean Snider <ssnider@yahoo-inc.com>:

>  Yeah see I totally disagree with this. . . no way do I think an nonce
> inline should be able to generate
>
> an external script and get automatic vetting. . .that defeats the whole
> purpose. . .
>
>
>
> If it’s an external URL, loading into the main page, it’s not just a
> security risk, but a performance risk,
>
> a stability risk etc.  And since’s it’s a URL, it’s response can change at
> will, at any time. . .basically
>
> meaning that if you are not white-listing by URI or nonce + inline, there
> is no “real” way that you
>
> can trust the content. . . b/c your just skipping over it. . . it defeats
> the whole purpose. . .
>
>
>
> And further (as I work at Yahoo and the IAB), no site . . .not one single
> site,  “trusts” 3rd party script.
>
>
>
> The sites that allow raw JavaScript from ads on their pages are doing so
> only b/c they don’t feel
>
> they have any data in page, or via cookies, or whatever that they need to
> protect. . but in many many
>
> cases, that’s simply b/c the developers of the site are not informed
> enough. . .
>
>
> In fact that model is very quickly dying. . . most folks are sandboxing. .
> . either using a plain IFRAME,
>
> a SafeFrame, or some variant of CAJA or FBJS.  Display ads and 3rd party
> dynamically downloaded
>
> content is fine (in fact plenty of mashup type modules out there that fit
> in this category as well),
>
> but no site should ever be loading that stuff raw into their main page . .
> . it’s just way too risky.
>
>
>
> For anything dynamic. . .honestly the only thing I can think of is
> sandboxing. . . white-list just doesn’t
>
> work in that case except for at very base levels (like plugin-types for
> example).
>
>
>
> Sean
>
>
>
>
>
> *From:* fwebdev@gmail.com [mailto:fwebdev@gmail.com] *On Behalf Of *Florian
> Weber
> *Sent:* Tuesday, October 21, 2014 2:17 PM
> *To:* Anne van Kesteren; public-webappsec@w3.org
> *Subject:* Re: Allow dynamically inserted <script>-Tags from trustworthy
> Scripts
>
>
>
> The Site Owner has the choice to trust the Thirtparty Script by giving it
> a valid nonce in firstplace.
>
> If we trust that Thirdparty they can run any Javascript they want. Why
> should they not be allowed to insert another script?
>
>
>
> The other solution is to use unsafe-inline which doesn't make the web much
> safer.
>
>
>
> There already was a discussion about this Topic on the List some time ago.
> There was a kind of 50/50 feeling about preventing or allowing this
> behavior.
>
>
>
> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html
>
>
>
>
>
>
>
> 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>:
>
> On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote:
> > There are a lot of Tracking and Advertisment Scripts out there and I
> think
> > it would be a lot easier to adopt CSP (without the use of unsafe-inline)
> if
> > the behavior would be changed.
>
> How do you envision changing the behavior while retaining the security?
>
>
> --
> https://annevankesteren.nl/
>
>
>
> 2014-10-21 22:54 GMT+02:00 Florian Weber <fweber@rebrush.de>:
>
> The Site Owner has the choice to trust the Thirtparty Script by giving it
> a valid nonce in firstplace.
>
> If we trust that Thirdparty they can run any Javascript they want. Why
> should they not be allowed to insert another script?
>
>
>
> The other solution is to use unsafe-inline which doesn't make the web much
> safer.
>
>
>
> There already was a discussion about this Topic on the List some time ago.
> There was a kind of 50/50 feeling about preventing or allowing this
> behavior.
>
>
>
> http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html
>
>
>
>
>
>
>
> 2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>:
>
> On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de> wrote:
> > There are a lot of Tracking and Advertisment Scripts out there and I
> think
> > it would be a lot easier to adopt CSP (without the use of unsafe-inline)
> if
> > the behavior would be changed.
>
> How do you envision changing the behavior while retaining the security?
>
>
> --
> https://annevankesteren.nl/
>
>
>
>
>
> --
>
> Über mich bei Google Plus
> <https://plus.google.com/103885057599472805071/posts>,Twitter
> <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
>
>
>
>
>
>
>
> --
>
> Über mich bei Google Plus
> <https://plus.google.com/103885057599472805071/posts>,Twitter
> <http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
>
>
>



-- 
Über mich bei Google Plus
<https://plus.google.com/103885057599472805071/posts>,Twitter
<http://@fwebdev>, XING <https://www.xing.com/profile/Florian_Weber7>
Received on Thursday, 23 October 2014 19:46:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC