ISSUE-21: Requiring Content-Security-Policy

Requiring Content-Security-Policy

State:
CLOSED
Product:
security framework for Web Crypto API
Raised by:
Ryan Sleevi
Opened on:
2012-08-20
Description:
One of the concerns with exposing the Web Crypto API to applications is the possibility for cross-siste scripting. This was particularly raised during the "signed JS" use cases, as it suggests that signed JS may act as a mitigation against an unauthenticated ephemeral XSS being turned into a persistent, authenticated XSS, by means of corrupting script stored in localStorage.

One way to mitigate this would be to specify that, in order to have this API exposed, applications MUST use CSP [1] and MUST specify a script-src [2] directive of 'self' and object-src directive of 'self'. This would prevent any inline script from being added, and would prevent the use of 'eval' to execute script.

While such solutions are not perfect, they can *significantly* reduce the risk of compromise or misuse. On the other hand, this may prevent some use cases, such as those imagined by the signed JS. A compromise might be to define "Anything that requires a key requires CSP", which would simply permit insecure applications from using key-based operations.

[1] http://www.w3.org/TR/CSP/
[2] http://www.w3.org/TR/CSP/#script-src
Related Actions Items:
Related emails:
  1. Re: WebCrypto Security Analysis (from sleevi@google.com on 2014-03-20)
  2. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from ddahl@mozilla.com on 2012-09-04)
  3. RE: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from Vijay.Bharadwaj@microsoft.com on 2012-09-04)
  4. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from sleevi@google.com on 2012-08-31)
  5. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from sleevi@google.com on 2012-08-31)
  6. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from zooko@leastauthority.com on 2012-08-27)
  7. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from ddahl@mozilla.com on 2012-08-27)
  8. W3C Web Crypto WG - agenda for 27th of august call - today (from Virginie.GALINDO@gemalto.com on 2012-08-27)
  9. RE: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from Vijay.Bharadwaj@microsoft.com on 2012-08-27)
  10. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from sleevi@google.com on 2012-08-23)
  11. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from wtc@google.com on 2012-08-23)
  12. [W3C Web Crypto WG] functional features list in draft API and issue tracker (from Virginie.GALINDO@gemalto.com on 2012-08-22)
  13. Re: [W3C Web Crypto WG] functional features list in draft API and issue tracker (from sleevi@google.com on 2012-08-21)
  14. [W3C Web Crypto WG] functional features list in draft API and issue tracker (from Virginie.GALINDO@gemalto.com on 2012-08-21)
  15. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from ddahl@mozilla.com on 2012-08-20)
  16. Re: crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from sleevi@google.com on 2012-08-20)
  17. crypto-ISSUE-21: Requiring Content-Security-Policy [Web Cryptography API] (from sysbot+tracker@w3.org on 2012-08-20)

Related notes:

No additional notes.

Display change log ATOM feed


Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 21.html,v 1.1 2017/02/13 16:16:50 ted Exp $