Re: Hashes/Nonce Source and unsafe-inline from Pete Freitag on 2013-12-17 (public-webappsec@w3.org from December 2013)

From: Pete Freitag <pete@foundeo.com>
Date: Tue, 17 Dec 2013 17:02:57 -0500
To: Garrett Robinson <grobinson@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAADZ8V7957fFs5teXHgyeG5czp9U8QMyFj-sTRBrYwYK_-f99g@mail.gmail.com>

I was thinking just the script would be hashed, eg: "breakEverything()"




On Tue, Dec 17, 2013 at 4:50 PM, Garrett Robinson <grobinson@mozilla.com>wrote:

> On 12/16/2013 10:28 AM, Pete Freitag wrote:
> > On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com
> > <mailto:dionyziz@gmail.com>> wrote:
> >
> >     The current spec is explicit about allowing nonces and hashes for
> only
> >     inline script use
> >
> >
> > The current spec mentions hashes and nonce in the style-src section, but
> > in the Valid Hashes
> > section,
> https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashes
> > it only mentions script. I would expect them to work in style-src as
> > well as script-src does the valid-hashes section need to be updated or
> > is the style-src section wrong?
>
> That's an accidental omission. Hashes can be used to whitelist *inline*
> scripts *and* styles.
>
> > Also wouldn't it be possible in theory to solve Dev's problem by
> > allowing hashes of inline event handers? This could also potentially
> > help ease adoption in legacy applications. I don't know what kind of
> > challenges that would present for the browser vendors to implement,
> > obviously not anything I would want holding up CSP1.1.
>
> Could you be more specific? I'm pretty sure Dev is referring to
> something akin to
>
> <button onclick="breakEverything()">Save</button>
>
> Are you suggesting that we hash the contents of <button>? It seems like
> we need to whitelist the *executable* content, not content associated
> with executable content, to get security. Otherwise, an attacker could do
>
> <button onclick="doSomethingEvil()">Save</button>
>
> and get it to run.
>
> Maybe we could do something like we do with setTimeout, where if the
> contents of the event handler is just one function then we let it run?
> But IMHO that is way over-complicated.
>
> -Garrett
>
> > --
> > Pete Freitag
> > http://foundeo.com
> > http://content-security-policy.com/ - CSP Quick Reference
>
>

Received on Tuesday, 17 December 2013 22:03:45 UTC