crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API]

crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API]

Raised by: Ryan Sleevi
On product: Web Cryptography API

One of the concerns with exposing the Web Crypto API to applications is the possibility for cross-siste scripting. This was particularly raised during the "signed JS" use cases, as it suggests that signed JS may act as a mitigation against an unauthenticated ephemeral XSS being turned into a persistent, authenticated XSS, by means of corrupting script stored in localStorage.

One way to mitigate this would be to specify that, in order to have this API exposed, applications MUST use CSP [1] and MUST specify a script-src [2] directive of 'self' and object-src directive of 'self'. This would prevent any inline script from being added, and would prevent the use of 'eval' to execute script.

While such solutions are not perfect, they can *significantly* reduce the risk of compromise or misuse. On the other hand, this may prevent some use cases, such as those imagined by the signed JS. A compromise might be to define "Anything that requires a key requires CSP", which would simply permit insecure applications from using key-based operations.


Received on Monday, 20 August 2012 14:18:14 UTC