W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Making it easier to deploy CSP.

From: Artur Janc <aaj@google.com>
Date: Sat, 13 Feb 2016 14:44:35 +0100
Message-ID: <CAPYVjqrj4-ELvq5KE1anSBib0cZytSymvb0bRU0nbHPKznw8OQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Lukas Weichselbaum <lwe@google.com>, Michele Spagnuolo <mikispag@google.com>
On Sat, Feb 13, 2016 at 7:44 AM, Mike West <mkwst@google.com> wrote:

> On Sat, Feb 13, 2016 at 4:47 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>
>> Hey Mike
>>
>> I am probably confused but would we get something similar by just using a
>> nonce- source and some UA detection to send the big whitelist for browsers
>> that don't support nonces?
>>
>
> I'd prefer to avoid forcing folks into UA detection. I recognize that it's
> important, given bugs in various UAs, but I'm reluctant to give up on
> backwards compatibility entirely.
>
>
>> Is 'unsafe-dynamic' needed only for backwards compatibility for browsers
>> that don't support nonce source?
>>
>
> The new keyword would serve as an explicit opt-in to cascading the nonce's
> capability down to scripts loaded by scripts you've chosen to trust. That
> doesn't _actually_ add any new power to nonces, as any running script can
> grab the nonce (as noted in the polyfill). It does add a little bit of
> power to hashes (as that behavior can't be polyfilled). It's also a
> significant win in terms of deployability, as very little code would
> actually need to change. Again, anecdotally, a significant subset of the
> Google properties that folks spot-checked could use this mechanism without
> changing any JavaScript code at all, just by turning on a nonce-generator
> in their templating library.
>

To illustrate this I put together a small testbed which enables
'unsafe-dynamic' and loads a dozen popular JS APIs: Facebook/Twitter
sharing buttons, Google Maps, etc:

https://csp-experiments.appspot.com/unsafe-dynamic
(needs Chrome Canary with experimental platform features enabled in
chrome://flags)

With 'unsafe-dynamic', scripts dynamically added to the page by a trusted
script (one which we allowed to run by giving it a crypto nonce or
whitelisting its hash) will be allowed to execute without requiring each JS
library to explicitly pass around nonces when loading such sub-scripts.

Based on a quick look at the behavior in the testbed it seems that most of
the popular widgets work properly with such a policy. Our hope is that this
will allow developers to add nonces to their static <script> blocks and
have a safe CSP without having to worry about whitelisting all
domains/paths used by JS APIs included on their pages (more often than not
that would lead to an unsafe policy because of JSONP endpoints in the same
domains).

Cheers,
-Artur
Received on Monday, 15 February 2016 22:48:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC