W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

RE: Allow dynamically inserted <script>-Tags from trustworthy Scripts

From: Sean Snider <ssnider@yahoo-inc.com>
Date: Thu, 23 Oct 2014 05:33:06 +0000
To: Florian Weber <fweber@rebrush.de>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <594AED27D7A9BD4F93EDD2715E205A2041A3B271@GQ1-MB04-02.y.corp.yahoo.com>
Yeah see I totally disagree with this. . . no way do I think an nonce inline should be able to generate
an external script and get automatic vetting. . .that defeats the whole purpose. . .

If it’s an external URL, loading into the main page, it’s not just a security risk, but a performance risk,
a stability risk etc.  And since’s it’s a URL, it’s response can change at will, at any time. . .basically
meaning that if you are not white-listing by URI or nonce + inline, there is no “real” way that you
can trust the content. . . b/c your just skipping over it. . . it defeats the whole purpose. . .

And further (as I work at Yahoo and the IAB), no site . . .not one single site,  “trusts” 3rd party script.

The sites that allow raw JavaScript from ads on their pages are doing so only b/c they don’t feel
they have any data in page, or via cookies, or whatever that they need to protect. . but in many many
cases, that’s simply b/c the developers of the site are not informed enough. . .

In fact that model is very quickly dying. . . most folks are sandboxing. . . either using a plain IFRAME,
a SafeFrame, or some variant of CAJA or FBJS.  Display ads and 3rd party dynamically downloaded
content is fine (in fact plenty of mashup type modules out there that fit in this category as well),
but no site should ever be loading that stuff raw into their main page . . . it’s just way too risky.

For anything dynamic. . .honestly the only thing I can think of is sandboxing. . . white-list just doesn’t
work in that case except for at very base levels (like plugin-types for example).

Sean


From: fwebdev@gmail.com [mailto:fwebdev@gmail.com] On Behalf Of Florian Weber
Sent: Tuesday, October 21, 2014 2:17 PM
To: Anne van Kesteren; public-webappsec@w3.org
Subject: Re: Allow dynamically inserted <script>-Tags from trustworthy Scripts

The Site Owner has the choice to trust the Thirtparty Script by giving it a valid nonce in firstplace.
If we trust that Thirdparty they can run any Javascript they want. Why should they not be allowed to insert another script?

The other solution is to use unsafe-inline which doesn't make the web much safer.

There already was a discussion about this Topic on the List some time ago. There was a kind of 50/50 feeling about preventing or allowing this behavior.

http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html




2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>>:
On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de<mailto:fweber@rebrush.de>> wrote:
> There are a lot of Tracking and Advertisment Scripts out there and I think
> it would be a lot easier to adopt CSP (without the use of unsafe-inline) if
> the behavior would be changed.

How do you envision changing the behavior while retaining the security?


--
https://annevankesteren.nl/


2014-10-21 22:54 GMT+02:00 Florian Weber <fweber@rebrush.de<mailto:fweber@rebrush.de>>:
The Site Owner has the choice to trust the Thirtparty Script by giving it a valid nonce in firstplace.
If we trust that Thirdparty they can run any Javascript they want. Why should they not be allowed to insert another script?

The other solution is to use unsafe-inline which doesn't make the web much safer.

There already was a discussion about this Topic on the List some time ago. There was a kind of 50/50 feeling about preventing or allowing this behavior.

http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0033.html




2014-10-21 13:43 GMT+02:00 Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>>:
On Tue, Oct 21, 2014 at 1:14 PM, Florian Weber <fweber@rebrush.de<mailto:fweber@rebrush.de>> wrote:
> There are a lot of Tracking and Advertisment Scripts out there and I think
> it would be a lot easier to adopt CSP (without the use of unsafe-inline) if
> the behavior would be changed.

How do you envision changing the behavior while retaining the security?


--
https://annevankesteren.nl/




--
Über mich bei Google Plus<https://plus.google.com/103885057599472805071/posts>,Twitter<http://@fwebdev>, XING<https://www.xing.com/profile/Florian_Weber7>




--
Über mich bei Google Plus<https://plus.google.com/103885057599472805071/posts>,Twitter<http://@fwebdev>, XING<https://www.xing.com/profile/Florian_Weber7>

Received on Thursday, 23 October 2014 20:48:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC