W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2016

Re: 'strict-dynamic' syntax (was Re: On the Insecurity of Whitelists and the Future of CSP)

From: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Date: Fri, 28 Oct 2016 12:36:39 +0200
Message-ID: <CAGy2MrVNb=vp4k18oJVH9s5cmV1bkJbZSVrmPbSHLaKV6ivDAw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Mike West <mkwst@google.com>, Artur Janc <aaj@google.com>, Anne van Kesteren <annevk@annevk.nl>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>, Lukas Weichselbaum <lwe@google.com>, Michele Spagnuolo <mikispag@google.com>
When reviewing Firefox patches for strict-dynamic I considered a few cases
how someone could write a CSP policy using strict-dynamic. Let's have a
look:

1) default-src 'strict-dynamic' foo.com; script-src 'nonce-asdf'

2) default-src 'strict-dynamic' foo.com

In order to craft a valid or somehow useful CSP policy relying on
'strict-dynamic' one has to at least specify a valid nonce, right? The
first case does that and it seems somehow intuitive. The second case
however misses to specify a nonce. In that case foo.com needs to be
invalidated for script loads but not for image loads, which seems counter
intuitive. Since one needs to define a valid nonce anyway (which is only
allowed within script-src), why do we also allow strict-dynamic to also
appear within default-src? In my opinion it would be clearer to only allow
strict-dynamic to appear within script-src, or am I missing something?
Thoughts?



On Wed, Sep 14, 2016 at 7:35 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Tue, Sep 13, 2016 at 12:27 PM, Mike West <mkwst@google.com> wrote:
>
>> Friendly ping. :)
>>
>
> ​Sorry for the delay, we're arguing amongst ourselves to come up with a
> "Mozilla" opinion we agree with because we fear anything we say as
> individuals will be interpreted as "The Mozilla opinion" anyway.
>
> I do appreciate Artur's argument and examples.
> ​
>
> -
> ​Dan Veditz​
>
>
Received on Friday, 28 October 2016 10:37:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC