Re: Signed CSP from Scott Arciszewski on 2015-02-16 (public-webappsec@w3.org from February 2015)

From: Scott Arciszewski <kobrasrealm@gmail.com>
Date: Sun, 15 Feb 2015 21:14:53 -0500
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Crispin Cowan <crispin@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPKwhwu8SDdxfxHrFFE0tEtJWR59sL2c13DhC8mrFHmz5tB2uQ@mail.gmail.com>

> CSP is probably not the right place to solve it.

Fair point. I was using this as a starting point because it seemed like a
logical place to begin.

> You'd probably just want a signature attached as an extra HTTP header or
so, with a browser add-on plugging into the HTTP stack and taking care of
the validation steps.

By this, I assume you mean the whole meta idea of verifying the script
hashes and whitelisting redirects (an idea I hadn't considered)?

What would we even call this then, if it's not to be tied in with CSPs?

On Sun, Feb 15, 2015 at 9:10 PM, Michal Zalewski <lcamtuf@coredump.cx>
wrote:

> So your model is to have a manually curated whitelist of trusted keys;
> and then use a browser that refuses to load any Internet content at
> all unless it is signed with one of these (hopefully offline) keys?
>
> The "can't navigate anywhere else" seems like a prerequisite, because
> otherwise, what stops pwn3d.com from just a 30x redirect to evil.com,
> and letting evil.com do any fingerprinting / decloaking it wants? (In
> fact, for optimal safety, you'd probably want a whitelist of keys
> *and* of navigable origins).
>
> This seems like an incredibly narrow / impractical use case, with a
> whole lot of new browser logic to tackle on, and even then, CSP is
> probably not the right place to solve it. You'd probably just want a
> signature attached as an extra HTTP header or so, with a browser
> add-on plugging into the HTTP stack and taking care of the validation
> steps.
>
> /mz
>

Received on Monday, 16 February 2015 02:15:23 UTC