W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: HTML Imports and CSP

From: Jim Manico <jim.manico@owasp.org>
Date: Thu, 2 Apr 2015 14:19:35 -0700
Message-ID: <4133406933584406361@unknownmsgid>
To: Joel Weinberger <jww@chromium.org>
Cc: Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Actually, when putting untrusted data into JavaScript context from an
inline perspective, the encoding contexts needed are script block, script
attribute and script source (from a JS file).  Happy to provide examples.

And from a direct dom perspective, encoding is not needed - just use safe
APIs assignments like .value .text.

Jim Manico
(808) 652-3805

On Apr 2, 2015, at 2:03 PM, Joel Weinberger <jww@chromium.org> wrote:

On Wed, Apr 1, 2015 at 11:53 PM Mike West <mkwst@google.com> wrote:

> On Thu, Apr 2, 2015 at 6:32 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>> > Sure, why not? I'm not a huge fan of inline event handlers, but I don't
>> > think that allowing them (and inline script) in Imports actually
>> increases
>> > the risk a developer exposes herself to. Do you think that's an
>> incorrect
>> > analysis?
>> There is a huge difference in risk of XSS in inline event handlers and
>> inline scripts. Different types of contexts, nested contexts etc all
>> are issues. *cough* I think Joel wrote a paper about this :D
> You're not wrong there; inline event handlers are bad and they should feel
> bad.
> That said, is the risk really different in kind from just allowing plain
> old inline script that executes directly? It doesn't seem to be. Allowing
> one without allowing the other seems capricious.
Yes, there is a different risk. Dev's point is that in JavaScript files, it
is much "easier" to sanitize properly on the server. There are many fewer
contexts to sanitize for (e.g. JavaScript strings, JavaScript numbers, and
JavaScript code). For inline scripts and event handlers, for your
sanitization, you not only need to consider all of the JavaScript
contexts... but any other context that can possible appear in the document:
HTML attributes, HTML CDATA, CSS, etc.

Additionally, is that if we had a good to way to apply policies within
JavaScript files, I would definitely argue for granting that capability,
but that's not something that we've looked into/thought about. However, we
*do* have a good way to apply policies to HTML documents, and it seems
surprising to me that we would deny that capability to developers who are
making modules. *That* is what would seem capricious to me :-)

I agree that implementing this will be difficult, which is why we can split
this into two parts (script-src or import-src followed by a separate
mechanism for allowing modules to serve up policies).

>> > There's a difference between supporting a new feature which isn't
>> currently
>> > covered by any directive, and changing the meaning of a directive that
>> > already covers a featue.
>> Again, because of the DOMXSS risk (even just injecting a new inline
>> script tag
>> without nonce), I think not using a new directive messes up the
>> security invariants for any CSP adopters.
> If we move imports from `script-src` to `import-src`, then sites that
> currently disallow imports will no longer have that protection. That seems
> bad.
> What's your ideal solution?
> -mike
Received on Thursday, 2 April 2015 21:20:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC