Confinement policies? (was Re: Scripting Policy sketch.) from Mike West on 2020-01-09 (public-webappsec@w3.org from January 2020)

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jan 2020 09:25:31 +0100
To: Craig Francis <craig.francis@gmail.com>, Brad Hill <hillbrad@fb.com>, Devdatta Akhawe <dev@dropbox.com>, Patrick Toomey <patrick.toomey@github.com>, Artur Janc <aaj@google.com>, Lukas Weichselbaum <lwe@google.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAKXHy=eiXH46DqTL4=oS2VEzjbP6x1JX=M=cRZFswYUo=tCwTw@mail.gmail.com>

(Forking the thread for clarity)

My impression is that CSP is actually not a great fit for developers'
actual confinement needs. It's fairly awkward to set up reasonable
policies, it's flexible in places it doesn't need to be, and inflexible in
places that would be convenient. If we're stepping back and reevaluating, I
think it's worth thinking about what a more idealized confinement policy
would look like. We may indeed decide that CSP is Good Enough, but I'd like
to get some developers to weigh in before landing on that decision.

That said, I know the sketch I put up at
https://github.com/mikewest/csp-next#resource-confinement isn't what we
want to end up with. Perhaps we could get some folks who use policies that
aim at something beyond script injection to weigh in on their requirements
(I'm thinking of folks like +Brad Hill <hillbrad@fb.com> at Facebook, +Devdatta
Akhawe <dev@dropbox.com> at Dropbox, +Patrick Toomey
<patrick.toomey@github.com> at GitHub, +Artur Janc <aaj@google.com>/+Lukas
Weichselbaum <lwe@google.com> at Google)?

-mike

On Wed, Jan 8, 2020 at 4:59 PM Craig Francis <craig.francis@gmail.com>
wrote:

> Thanks Mike,
>
> Scripting-Policy does look like a simpler process for developers to
> mitigate the most common XSS issues (and Trusted Types can hopefully help
> the next set).
>
> As to confinement, I think CSP does this pretty well already.
>
> So I'd like to keep CSP as it is, although you could deprecate some parts
> (e.g. the hash/nonce options).
>
> Then CSP can focus on limiting where resources can be loaded from, which
> is good for ensuring developers put things in the right place, but it's
> also an extra set of restrictions if an attacker does find a way to run
> their evil code (be that JS, malformed HTML, etc).
>
> Craig
>
>
>
> On Wed, 8 Jan 2020 at 10:18, Mike West <mkwst@google.com> wrote:
>
>> Hey folks,
>>
>> At TPAC last year, we discussed
>> <https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#csp>
>> the CSP Next proposal <https://github.com/mikewest/csp-next> in a little
>> bit of detail. It seemed like there was general approval of the vague
>> contours of the idea, so I took some time to sketch it out in a little more
>> detail. I'd appreciate feedback (directional and detail!) on
>> https://mikewest.github.io/csp-next/scripting-policy.html.
>>
>> This addresses the XSS mitigation portion of CSP. It doesn't touch the
>> confinement portions of CSP discussed in
>> https://github.com/mikewest/csp-next/#resource-confinement. I'm quite a
>> bit less clear on what that would actually need to look like. If y'all have
>> ideas (especially those rooted in actual experience deploying
>> confinement-oriented policies), I'd love to hear about them.
>>
>> Thanks!
>>
>> -mike
>>
>

Received on Thursday, 9 January 2020 08:25:46 UTC