Content Security Policy for Gaia Apps

(CCing dev-security for added security input, but please reply to 
dev-gaia@lists.mozilla.org)

As part of the Open Web App Security Model 
(https://wiki.mozilla.org/Apps/Security), a strict content security 
policy is proposed for Certified applications. It is expected that all 
Gaia apps will fall into the certified category, and as such I wanted to 
raise this requirement for discussion, as there are significant 
implications which have not really been explored as yet.

Proposal
=========================
The proposed requirement is that all certified apps have a strict CSP 
(default-src 'self') which allows loading of resources from same-origin 
only. I had a skim over the Gaia apps and the key impacts I see are:

* For <script> tags, this means that all script must be contained in 
files loaded from the same origin. This is generally already the case 
for most Gaia apps, but there are a few inline script tags in some apps 
(e.g.  
https://github.com/mozilla-b2g/gaia/blob/master/apps/homescreen/index.html#L8 
- though this looks like a fix until the webapi.js is in the browser 
itself?)

*Inline Event handlers (onclick, onmessage etc) are also disabled by 
this CSP. From a quick skim, only the dialer uses these, so it will need 
to be modified to use addEventListener instead.

* data URIs are blocked. Again these arent really used much but there 
are a few examples (e.g. 
https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/windows/window_manager.js#L380)

Why are we proposing to enforce this?
=========================
The main control provided by this feature is a mitigation of a class of 
cross-site scripting attacks. Also certified apps is code are verified 
through our secure development processes, and we trust this code is 
(relatively) free of security vulnerabilities. Allowing Apps to load 
potentially insecure code dynamically that has access to the same 
elevated permissions would break this model.

Thoughts, comments, suggestions?

-Paul







0
Paul
6/6/2012 8:23:22 AM
mozilla.dev.gaia 3196 articles. 0 followers. Post Follow

0 Replies
631 Views

Similar Articles

[PageSpeed] 28
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

Why is it an error to have both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only ?
https://wiki.mozilla.org/Security/CSP/Spec#Report-Only_mode If both a X-Content-Security-Policy-Report-Only header and a X-Content-Security-Policy header are present in the same response, a warning is posted to the user agent's error console and any policy specified in X-Content-Security-Policy-Report-Only is ignored. The policy specified in X-Content-Security-Policy headers is enforced. Why is this? This seems like an unnecessary burden which prevents groups from tightening their security policies over time. For example, here at Google, I'm interested in helping resol...

Info needed: how to specify which Gaia apps are included in a Gaia build, and how to show/hide the marketplace app
Hi all, The title says it all. Can someone give me a quick guide on how to specify which Gaia apps are = included in a Gaia build, and how to show/hide the marketplace app as = required. I=92m assuming the latter item is really just the same, as = Marketplace is another app? Rough notes will do - I can turn them into neat prose. This info is required for MWC, so I=92d really appreciate a quick = turnaround. Many thanks, Chris Mills Senior tech writer || Mozilla developer.mozilla.org || MDN cmills@mozilla.com || @chrisdavidmills ...

Info needed: how to specify which Gaia apps are included in a Gaia build, and how to show/hide the marketplace app
Hi all, The title says it all. Can someone give me a quick guide on how to specify which Gaia apps are = included in a Gaia build, and how to show/hide the marketplace app as = required. I=92m assuming the latter item is really just the same, as = Marketplace is another app? Rough notes will do - I can turn them into neat prose. This info is required for MWC, so I=92d really appreciate a quick = turnaround. Many thanks, Chris Mills Senior tech writer || Mozilla developer.mozilla.org || MDN cmills@mozilla.com || @chrisdavidmills ...

CSP Policy for Gaia Apps
Gaia folks, As part of the permissions model, I am expecting gaia apps to fall into the "certified" category of web, and as such will have specific security requirements. I just wanted to flag the requirement of having a CSP policy of default-src:self, which has implications for app design. From what i have seen, gaia apps already have their js nicely segregated from the html, but just a heads up in case this requirement hasn't been considered. Notably, this means no eval, inline script or data:uri as src for objects. Probably need to discuss the implications...

gaia Music App Code flow from Gaia to gecko
MUSIC AAP cODE FLOW in B2g FIREFOX OS-- Hi, i am trying to debug the code f= low of music app from Gaia to gecko and gecko to Gonk-- bt gaia layer how i= nteracts with gecko , i am not able to get, if in Music payer we say play()= ,how flow goes into Gecko layer , can anybody help me to in this regard???= =20 On Thursday, 11 April 2013 11:13:04 UTC+5:30, himanshu saxena wrote: > MUSIC AAP cODE FLOW in B2g FIREFOX OS-- Hi, i am trying to debug the code= flow of music app from Gaia to gecko and gecko to Gonk-- bt gaia layer how= interacts with gecko , i am not able to get, if in M...

Merging dev-gaia and dev-b2g into dev-fxos
--001a113ce93ebce35d051e4c0c73 Content-Type: text/plain; charset=UTF-8 Hello people of Firefox OS, After a discussion we have decided that the distinction between dev-gaia and dev-b2g mailing lists is not enough to warrant maintaining two lists. So we are deprecating both in favor of dev-fxos. So if you are subscribed to one of the aforementioned lists, you will be subscribed to the new dev-fxos list and we will shortly be decommissioning dev-gaia and dev-b2g. Thanks! Michael --001a113ce93ebce35d051e4c0c73 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: qu...

Merging dev-gaia and dev-b2g into dev-fxos
--001a113ce93ebce35d051e4c0c73 Content-Type: text/plain; charset=UTF-8 Hello people of Firefox OS, After a discussion we have decided that the distinction between dev-gaia and dev-b2g mailing lists is not enough to warrant maintaining two lists. So we are deprecating both in favor of dev-fxos. So if you are subscribed to one of the aforementioned lists, you will be subscribed to the new dev-fxos list and we will shortly be decommissioning dev-gaia and dev-b2g. Thanks! Michael --001a113ce93ebce35d051e4c0c73 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: qu...

Content Security Policies (CSP) on privileged apps
To test Firefox OS capabilities, I=92m writing a privileged app that can ha= ve access to various APIs on the device, but I got stuck in the development= .. I hope you can help me, I cannot find any useful documentation... I=92d like to have access to Google Maps APIs from my app, but this require= s a script to be loaded outside of app package ( Something like <script typ= e=3D"text/javascript" src=3D"http://maps.googleapis.com/maps/api/js?.....">= </script> ). Because of CSP restrictions in privileged apps, this works just with the si= mulator, but on ...

Gaia: string changed between Gaia 1.1 and Gaia 1.2
Hi, Pascal put together a very useful view on Transvision (for now only available on Beta). Unfortunately there are strings that changed between 1.1 and 1.2, without getting new IDs. Sometimes changes are minor (like removing an article), in other cases they're substantial. If your locale was shipped in 1.1, you probably want to check this page to see if your localization has already been updated for 1.2. For example this is the page for Italian (just replace the locale code in the URL) http://transvision-beta.mozfr.org/gaia/?locale=it#englishchanges Personally I fin...

Gaia e-mail app wants fancier support from notifications API/Gaia notifications UI; what do we do?
Currently, notifications as implemented in Gaia have the following characteristics: - we turn on the screen if it is off so the user can see the notifications - we do a toaster notification - we set a status bar notification - we play a ringtone unless the notification volume level is set to 0 - we vibrate if enabled - the UI representation of the notification includes the timestamp of when the notification was generated - the title of the notification is text/plain that is displayed in bold with no supported markup - the body of the notification is text/plain that has no special...

Fast dev/debug cycles for gaia apps on desktop
Goal: fast dev/debug cycles for gaia apps built from a local gaia checkout. I want to edit email app files, then either just close the app in simulator or desktop something, or be able to trigger a refresh not using the cache and see the changes. Previously I was able to do this for email using desktop Firefox Nightly. That changed a while back, and then I switched to using Mulet a couple months ago. However, I heard that Mulet may not continue, so I am looking for pointers on how to still accomplish the above goal. What I use now: * DEBUG=1 make * Launch Mulet giving it the pr...

Gaia is Reopened (was Gaia is CLOSED)
--047d7b5d2f608b226205062a7aa3 Content-Type: text/plain; charset=UTF-8 We have (intemittent) green try runs @ https://treeherder.mozilla.org/ui/#/jobs?repo=gaia-try&revision=504bab8d38dc Please help us get gaia integration tests stable and unhidden by only landing code following a try run that has at least one green run of every test type, when I see commits land in master without a green run I will be pinging people on bugs to remind them Thanks --047d7b5d2f608b226205062a7aa3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div d...

Gaia is closed (gaia-try is down)
You can still see status of PR here (https://treeherder.mozilla.org/ui/#/jobs?repo=gaia) should re-open once gaia try is up or (https://treeherder.mozilla.org/ui/#/jobs?repo=gaia) is looking stable (I have a PR in flight now which should do this) ...

Web resources about - Content Security Policy for Gaia Apps - mozilla.dev.gaia

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

Two security guards sacked for removing violent patient from busy emergency ward
Two security guards who forcibly removed a drunk and violent patient from Royal Prince Alfred Hospital's emergency ward&nbsp;have been sacked&nbsp;for ...

Malcolm Turnbull talks global security with Australian Defence Force personnel during Afghanistan visit ...
Malcolm Turnbull completes his global security homework ahead of his first White House meeting, visiting Australian troops in Afghanistan.

Candidates echo Appleā€™s stance on encryption & national security during Democratic debate
Last week, Apple was at the heart of a conversation during the Republican presidential debate over encryption and national security. Candidates ...

Kuwait Oil Company opts for Cisco Security Solutions for high-security network
Al-Bawaba Kuwait Oil Company opts for Cisco Security Solutions for high-security network Al-Bawaba Cisco today announced that Kuwait Oil Co. ...

Honor 5X to receive Marshmallow, regular security patches and EMUI4
... future, along with the latest build of Honor's custom software, EMUI4. What's more, Honor 5X owners can expect to receive regular Android security ...

BlackBerry denies existence of security backdoors and blames 'cracked' encryption on user error
... encryption has been cracked by groups associated with the police in the Netherlands. The company has long-prided itself on the level of security ...

Resources last updated: 1/18/2016 6:13:46 PM