Re: [CSP] ‘unsafe-hashed-attributes’, ‘unsafe-inline-attributes’ and CSP directive versioning

Hi Andy,

You mention "Google has ~30 thousand instances"... do you know the average number of unique attributes per page?

I've seen some pages where there are hundreds of inline styles and JS attributes.

Which means that the size of the CSP header could become be quite large (e.g. ~28KB for 300 attributes, each one needing 95+1 characters for a base64 encoded sha256 hash).

And when using an "automated solution" to set a CSP for those pages... I assume you would have something that looks at the static HTML as it's requested, then build a CSP based on the attributes it finds in that HTML file? i.e. you going on the basis that the static HTML file hasn't been tampered with (which might be fair assumption to make).

Craig





> On 5 Apr 2018, at 13:50, Andy Paicu <andypaicu@chromium.org> wrote:
> 
> Hello folks at webappsec,
> 
> The CSP 'unsafe-hashed-attributes' keyword proposal has traditionally had quite a bit of controversy and discussion and I would like to try to channel all of these discussions and opinions towards some end decision of some sort.
> 
> 'unsafe-inline-attribute' has also had some discussion and has recently resurfaced in light of some CSS-based keylogger attacks. Seeing that it is quite similar to 'unsafe-hashed-attributes' I think they're worth discussing together.
> 
> CSP directive versioning follows logically from the two above so I have also bundled it up in the explainer below:
> 
> https://docs.google.com/document/d/1_nYS4gWYO2Oh8rYDyPglXIKNsgCRVhmjHqWlTAHst7c/edit?usp=sharing <https://docs.google.com/document/d/1_nYS4gWYO2Oh8rYDyPglXIKNsgCRVhmjHqWlTAHst7c/edit?usp=sharing>
> 
> I would like to hear all of your thoughts and opinions on this as I believe there is real benefit in adding these features.
> 
> Regads,
> Andy Paicu