W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: 'strict-dynamic' syntax (was Re: On the Insecurity of Whitelists and the Future of CSP)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 9 Sep 2016 00:32:17 -0700
To: Artur Janc <aaj@google.com>, Mike West <mkwst@google.com>
Cc: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, "Hodges, Jeff" <jeff.hodges@paypal.com>, W3C Web App Security WG <public-webappsec@w3.org>, Craig Francis <craig.francis@gmail.com>
Message-ID: <960500c1-c674-bb72-7301-bba2204eb309@mozilla.com>
On 9/8/16 1:25 PM, Artur Janc wrote:
> - There is already an "ignore" mechanism in CSP, which works within a
> single directive, namely the presence of 'nonce-*' or 'sha*' ignores
> 'unsafe-inline' for backwards-compatibility.

... which was an ugly but necessary hack in CSP2. The directive-level
override was built-in from the beginning, with *-src directives
overriding default-src, and later frame-src overriding child-src.

> you need to pay attention to different directives deciding the same
> behavior, understand which wins out in which browser, etc. I'd argue
> it's just as confusing, if not more :(

Seems much easier to understand to me: use script policy-A in old
browsers and script policy-B in new browsers, one or the other, a choice
of two. with 'strict-dynamic' a keyword you are mentally understanding a
policy as one thing until you hit that keyword--which could be
anywhere--and then you have to backtrack to figure out what parts are
actually ignored.

> - A new directive likely wouldn't be able to completely ignore
> script-src, because it would need the nonce defined therein. Or
> otherwise we would force the developer to include the nonce in both
> places (script-src 'nonce-foo123' [something]; new-script-src
> 'nonce-foo123';) for backwards-compatibility, which seems fairly inelegant.

Yes, if you used the nonce in the CSP2-level policy you'd have to repeat
it. I agree it's more verbose but that's not necessarily inelegant.

> - I believe that so far we've had a one-to-one mapping between
> directives and resources (with this exception of default-src), but this
> would change in this model. Perhaps this is okay, but it also is a bit
> of a departure from the status quo.

I wouldn't call default-src an exception, it's fundamental. We also have
the possibility of iframe src being controlled by one of two different
policies (not counting default-src).

> many applications can avoid the whitelist altogether to get around
> the adoption/maintenance difficulties, and serve a policy such as
> "script-src 'nonce-foo' 'strict-dynamic' 'unsafe-inline' https:" where
> the last two entries will be ignored.

That policy does almost nothing to protect a site in a browser that does
not honor 'strict-dynamic'. The only real benefit would be not having to
UA-sniff in order to not offer a CSP policy at all to older browsers.

> Second, if the developer wants to
> maintain a whitelist for older browsers, it's easy to split this into
> two separate CSP policies, where the original one will be unchanged, and
> the new CSP header will only focus on nonce enforcement (same policy as
> above). We have some experience that suggests that even developers
> unfamiliar with CSP can grok this.

Yes, that works. Duplicating most of two entire policies seems more
'inelegant' to me than duplicating a nonce across two directives, but
that's the kind of clarity I was going for.

-Dan Veditz
Received on Friday, 9 September 2016 07:32:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC