W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

[CSP] Script/Style hash and text normalization

From: Joel Weinberger <jww@chromium.org>
Date: Wed, 28 Oct 2015 19:46:05 +0000
Message-ID: <CAHQV2KnS=JE0kZ8+xjHYanMObX2_fpiWP8Xvs7B7hFtpRLvWBA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Mike West <mkwst@chromium.org>, Joshua Bell <jsbell@chromium.org>
Hi folks. We've recently run into a number of problems in Blink with
normalization that we've been doing on content (for example
https://crbug.com/545383), so we've had an effort to remove all points of
normalization. In fact, the last remaining one is for CSP script/style src
hashes.

Reading the spec, there's nothing that indicates to me that the text should
be normalized before digests are calculated (see the script block source
which is what the digest is supposed to be calculated over:
http://www.w3.org/TR/html5/scripting-1.html#the-script-block's-source). I
know that we talked about it at one point, but I believe nothing came of it.

However, we added (in truth, I think I did it) a Web Platform Test to
ensure that content *is* normalized:
https://github.com/w3c/web-platform-tests/blob/master/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html.
I suggest that we modify this test to ensure that content *is not*
normalized before the digest is calculated. Does that make sense to
everyone out there, but especially the other implementors?
Received on Wednesday, 28 October 2015 19:46:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC