Re: [CSP] Clarifications on nonces from Brian Smith on 2015-02-09 (public-webappsec@w3.org from February 2015)

From: Brian Smith <brian@briansmith.org>
Date: Mon, 9 Feb 2015 03:32:23 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt4Foh1BCx+-NvCb_DJgtggRb0_UsquOLoEXU9VbbX-oxQ@mail.gmail.com>

On Mon, Feb 9, 2015 at 1:30 AM, Mike West <mkwst@google.com> wrote:
> On Mon, Feb 9, 2015 at 9:06 AM, Brian Smith <brian@briansmith.org> wrote:
>>Mike West wrote:
>> > Consider a page that includes a third-party widget. Or an ad. It's quite
>> > likely that the page doesn't actually know what's going to be loaded via
>> > that widget, so constructing a CSP which would allow those things is
>> > difficult. Nonces, being easily transferrable, allow such embedded
>> > content
>> > to bring in whatever it requires.
>>
>> I think that use case is one for which we should find alternative
>> solutions. In particular, we should be moving the web towards social
>> widgets and ads being confined within iframe sandbox so that embedding
>> an ad or widget doesn't give the ad/widget provider full control over
>> the page's origin like <script src=//third-party.example.com/ad.js>
>> does. So, I think that allowing CSP nonce to have DOM XSS
>> vulnerabilities in order to support the use case above is doubly
>> counterproductive.
>
> The general thrust is "Don't run third-party JavaScript in your site's
> context." and "Don't serve ads that require DOM access.". I think there's
> general agreement on those point in theory, and general disregard for them
> in practice. My claim is that if we make it impossible to follow this
> unfortunately (very) common pattern, the most likely effect is not that
> folks will make their sites more secure, but they they simply won't use CSP.

I don't think that conclusion necessary follows. We should study why
iframe sandbox isn't considered sufficient by ads and other widgets
makers, and find a way to address their concerns, e.g. by expanding
iframe sandbox's capabilities.

> Nonces are significantly weaker than a policy that whitelists specific
> origins. Nonces are significantly stronger than an empty policy. It's a
> trade-off, to be sure. I'm arguing that it's a justifiable and practical
> one. You're arguing that it's not.

My argument is that the real problem is that iframe sandbox doesn't
work well enough for ad and widget providers to use it. That's the
real problem that needs solved. By wallpapering over it here, we'd be
reducing our motivation for solving that problem, while making CSP
nonce less secure than it would otherwise be. I think that's not the
right tradeoff. I'd rather encourage more urgent addressing of the
root problem.

> As you suggested in
> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0116.html, it
> would be good to get more opinions to see where the group tends to land on
> the subject.

Sounds good.

Cheers,
Brian

Received on Monday, 9 February 2015 11:32:50 UTC