Re: [CSP] "sri" source expression to enforce SRI from Chris Palmer on 2015-12-23 (public-webappsec@w3.org from December 2015)

From: Chris Palmer <palmer@google.com>
Date: Tue, 22 Dec 2015 18:38:24 -0800
To: Jonathan Kingston <jonathan@jooped.co.uk>
Cc: Brad Hill <hillbrad@gmail.com>, Joel Weinberger <jww@chromium.org>, Richard Barnes <rbarnes@mozilla.com>, Patrick Toomey <patrick.toomey@github.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAOuvq21jpEyMnSMbvt5T-X81AWZq5ZKMe2UfYE9H=3RurDgdpg@mail.gmail.com>
HTTP/2 should do a lot to address header bloat, just as it addresses other
performance problems.

And, as usual, import content_layer_heaviest from stdarg. :)

On Tue, Dec 22, 2015 at 6:13 PM, Jonathan Kingston <jonathan@jooped.co.uk>
wrote:

> Perhaps the bloat is something that actually needs to be addressed?
> Creating many headers doesn't really solve the bloat issue.
> I agree that it doesn't need to be the core CSP spec especially as we have
> UI Security separate etc.
> But yes when we discussed this last certainly one directive isn't flexible
> enough for example when SRI expands to images having all assets on the page
> requiring SRI would probably be too inflexible.
>
> On Tue, Dec 22, 2015 at 7:40 PM Brad Hill <hillbrad@gmail.com> wrote:
>
>> I'm open to either possibility. In the past we've talked about things
>> like fallback policy (e.g. if CDN content from untrusted host X fails the
>> hash check, try to load from a trusted canonical https source, host Y) that
>> would be tricky to shoehorn into the CSP directive parsing logic, and
>> policy combination is another area where it is good not to overcomplicate
>> CSP.
>>
>> On Tue, Dec 22, 2015 at 11:29 AM Joel Weinberger <jww@chromium.org>
>> wrote:
>>
>>> FWIW, I think either approach is fine. I know that, in general, we've
>>> been concerned about CSP bloat, so for that reason alone it might be worth
>>> moving it to its own header. But I don't really care at all either way.
>>>
>>> On Tue, Dec 22, 2015 at 2:28 PM Richard Barnes <rbarnes@mozilla.com>
>>> wrote:
>>>
>>>> I'm not sure I agree with that, Brad :)  CSP is where we place
>>>> restrictions on loading things, and "must have SRI" is a restriction on
>>>> loading things.
>>>>
>>>> On Tue, Dec 22, 2015 at 2:26 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>>>
>>>>> Yeah, we'd discussed a SRI policy header / meta tag to express a
>>>>> number of things like this, it just got dropped from v1 to get it out the
>>>>> door.  Not sure shoehorning it into CSP is the right choice, especially
>>>>> since the reporting mechanism is already being factored out into its own,
>>>>> reusable, feature.  Might be simpler to define a standalone header.
>>>>>
>>>>> On Tue, Dec 22, 2015 at 11:24 AM Richard Barnes <rbarnes@mozilla.com>
>>>>> wrote:
>>>>>
>>>>>> Some sort of "must-sri" directive is something we had considered
>>>>>> inside Mozilla for some of our properties, so this does seem like a
>>>>>> productive thing to look at.  I don't have any personal biases about how
>>>>>> exactly to express it.
>>>>>>
>>>>>>
>>>>>> On Tue, Dec 22, 2015 at 12:07 PM, Patrick Toomey <
>>>>>> patrick.toomey@github.com> wrote:
>>>>>>
>>>>>>> Yeah, a separate directive probably makes sense. I was originally
>>>>>>> thinking it fit into the "locations that are safe" pattern since we are
>>>>>>> stating that a location is only safe if it has a known hash (using SRI)
>>>>>>> from that location. But, I realize that is a stretch. And, you have a good
>>>>>>> point about being able to put other SRI related things in if we have a
>>>>>>> separate directive. So, yeah, that is probably the cleaner way to go.
>>>>>>> Thanks for opening the tracking issue.
>>>>>>> On Tue, Dec 22, 2015 at 9:32 AM Joel Weinberger <jww@chromium.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> That's a good point about SRI in general; it's hard to know if
>>>>>>>> you've forgotten to SRI anything. I'm not sure source-expression is the
>>>>>>>> right place to put it in CSP, though, as that's meant to be "locations that
>>>>>>>> are safe," and that's not exactly what you're requesting. It probably makes
>>>>>>>> sense to have an 'sri-options' directive, though, since we'll probably want
>>>>>>>> SRI 'report-only' eventually anyway.
>>>>>>>>
>>>>>>>> I've filed this as a feature request in GitHub, too:
>>>>>>>> https://github.com/w3c/webappsec-subresource-integrity/issues/23
>>>>>>>> --Joel
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Dec 22, 2015 at 2:50 AM Patrick Toomey <
>>>>>>>> patrick.toomey@github.com> wrote:
>>>>>>>>
>>>>>>>>> We recently deployed subresource integrity across GitHub.com:
>>>>>>>>> https://github.com/blog/2058-github-implements-subresource-integrity.
>>>>>>>>> However, a few days after deployment we determined that one of our JS
>>>>>>>>> scripts did not have an "integrity" attribute assigned to it. It was our
>>>>>>>>> intent to add the integrity attribute to all subresources on GitHub.com. We
>>>>>>>>> statically vendor in all CSS/JS and use Sprockets (SRI support was added in
>>>>>>>>> https://github.com/sstephenson/sprockets/pull/645) to package
>>>>>>>>> these assets for production deployments. There happened to be one JS file
>>>>>>>>> that had not been vendored, and hence was not being packaged by Sprockets.
>>>>>>>>> This violated two of our goals:
>>>>>>>>>
>>>>>>>>> * Not allowing any dynamically sourced JS (we vendor everything to
>>>>>>>>> ensure what is in version control is what is used in production)
>>>>>>>>> * Enforcing SRI on all supported subresources on GitHub.com
>>>>>>>>>
>>>>>>>>> Reflecting back on this situation, it would have been nice to have
>>>>>>>>> support in CSP for a source expression such as
>>>>>>>>> "sri"/"sri-only"/"sri-naming-things-is-hard" to ensure SRI is being used
>>>>>>>>> everywhere. In the above scenario, the related JS would have failed to load
>>>>>>>>> and we would have identified both of the issues listed above in testing.
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
Received on Wednesday, 23 December 2015 02:38:55 UTC