Re: [csp3] Does strict-dynamic allow adding inline scripts? from Artur Janc on 2020-03-20 (public-webappsec@w3.org from March 2020)

From: Artur Janc <aaj@google.com>
Date: Fri, 20 Mar 2020 12:41:54 +0100
To: Kevin Gibbons <kevin@shapesecurity.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAPYVjqpVNdoVur0mG7_39OD6iQS9m09d0Ymf60-EfN22tkJs0g@mail.gmail.com>

Thanks for filing this issue -- the GH repo is still the right place for
such discussions (despite not being very active recently). I replied on the
bug.

On Fri, Mar 20, 2020 at 12:18 AM Kevin Gibbons <kevin@shapesecurity.com>
wrote:

> (I've copied this from the github repository, which appears to be totally
> unmaintained. You can read it there with formatting:
> https://github.com/w3c/webappsec-csp/issues/426 )
>
> For example, if I have
>
> <script nonce="asdf">
> x = document.createElement('script');
> x.textContent = 'console.log(0)';
> document.head.appendChild(x);
> </script>
>
> on a page with a CSP of `script-src 'strict-dynamic' 'nonce-asdf'`, does
> it log 0 or not?
>
> As best I can tell, the CSP spec says no. In particular,
>
> - The inserted script lacks a src attribute, so step 15 of HTML's prepare
> a script governs, which calls
> - Should element’s inline type behavior be blocked by Content Security
> Policy? with type "script", which in step 3.1.1 calls
> - the inline check for script-src, which in step 4 calls
> - Does element match source list for type and source?, which
> - fails to permit the script via allowing all inline behavior for type
> "script"
> - fails to permit the script via a nonce-source expression, because
> element does not have a nonce attribute,
> - fails to permit the script via a hash-source expression, because there
> are none, and therefore
> - fails to permit the script at all.
> (Does element match source list for type and source? makes no mention of
> strict-dynamic except to turn off unsafe-inline.)
>
> But Firefox and Chrome both allow it. (Safari does not support
> strict-dynamic at all.)
>
> The section on the usage of strict-dynamic is not helpful; it says that
> "Script requests which are triggered by non-"parser-inserted" script
> elements are allowed", which implies it only applies to external scripts,
> but also says "scripts created at runtime will be allowed to execute",
> which implies it would apply to inline ones as well.
>
>

Received on Friday, 20 March 2020 11:42:24 UTC