Content Security Policy discussion (link)

Hi All,

Some discussion about CSP has recently popped up on the mozilla wiki:
https://wiki.mozilla.org/Talk:Security/CSP/Spec

I'm posting the link here in case anyone interested hasn't seen it yet. 
  Comments are welcomed (both here and there).

Cheers,
Sid
0
Sid
6/26/2009 4:44:45 PM
mozilla.dev.security 649 articles. 0 followers. Post Follow

8 Replies
583 Views

Similar Articles

[PageSpeed] 2
Get it on Google Play
Get it on Apple App Store

Sid Stamm wrote on 6/26/2009 11:44 AM: 
> Some discussion about CSP has recently popped up on the mozilla wiki:
> https://wiki.mozilla.org/Talk:Security/CSP/Spec
> 
> I'm posting the link here in case anyone interested hasn't seen it yet.
>  Comments are welcomed (both here and there).

It's been brought up this morning on the WASC Web Security list too:

	http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html


- Bil

0
Bil
6/26/2009 9:42:01 PM
On 26/06/09 22:42, Bil Corry wrote:
> It's been brought up this morning on the WASC Web Security list too:
>
> 	http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html

The linked blogpost suggests using the page itself as an E4X document to 
bypass the restrictions. Dead clever :-) Should we say that CSP also 
requires the external JS files to be served with the right Content Type? 
(application/javascript)? That would reduce the possibility of the 
attacker using random content they've managed to create on the remote 
server as a script file.

Gerv
0
Gervase
6/29/2009 10:02:36 AM
Gervase Markham wrote:
> On 26/06/09 22:42, Bil Corry wrote:
>>     http://www.webappsec.org/lists/websecurity/archive/2009-06/msg00086.html
> 
> The linked blogpost suggests using the page itself as an E4X document to
> bypass the restrictions. Dead clever :-) Should we say that CSP also
> requires the external JS files to be served with the right Content Type?
> (application/javascript)? That would reduce the possibility of the
> attacker using random content they've managed to create on the remote
> server as a script file.
> 
> Gerv

That is clever.  Yes, I think you're right that we should enforce a
valid MIME type for the external script files.  We probably also want to
whitelist application/json for sites utilizing JSON feeds.

-Brandon
0
Brandon
6/29/2009 5:02:26 PM
On 6/29/09 10:02 AM, Brandon Sterne wrote:
> Gervase Markham wrote:
>> The linked blogpost suggests using the page itself as an E4X document to
>> bypass the restrictions. Dead clever :-) Should we say that CSP also
>> requires the external JS files to be served with the right Content Type?
>> (application/javascript)? That would reduce the possibility of the
>> attacker using random content they've managed to create on the remote
>> server as a script file.
>
> That is clever.  Yes, I think you're right that we should enforce a
> valid MIME type for the external script files.  We probably also want to
> whitelist application/json for sites utilizing JSON feeds.

I agree that enforcing the types is a good idea.  This is something we 
should probably do in general (not just for CSP) as a form of sanity 
check.

With regards to the nifty E4x self-referential attack... not only is the 
MIME type different than 'text/javascript', but I think referencing the 
body of the current document as the "src" of a script should be 
considered /inline script/, and thus disallowed by the "no inline 
scripts" CSP base restriction.  If for some reason CSP supported this, I 
would consider it a bug.

The code is not in an external file and mixed content (JS + HTML) is 
dangerous... pretty much exactly what CSP is trying to separate.  The 
spec currently states "Script in files loaded from white-listed sources" 
is allowed[0], and technically while this script is in a white-listed 
source (the base HTML document), it's also an inline script.  I think we 
should change the allowed script statement from "Script in files loaded 
from white-listed sources" to "Script /imported/ from /external/ files 
hosted by white-listed sources".  This makes more explicit that CSP 
requires scripts to be separated from the data in the base HTML page.

-Sid

[0] 
https://wiki.mozilla.org/Security/CSP/Spec#No_inline_scripts_will_execute
0
Sid
6/29/2009 5:26:11 PM
On 29/06/09 18:02, Brandon Sterne wrote:
> That is clever.  Yes, I think you're right that we should enforce a
> valid MIME type for the external script files.  We probably also want to
> whitelist application/json for sites utilizing JSON feeds.

It does make you think, what other brokennesses can we fix along the way 
while sites are opting in to this new model? Can we, for example, 
enforce the correct MIME types for images too, and throw away all that 
horrible sniffing[0]? How about feeds? ;-)

Gerv

[0] http://tools.ietf.org/html/draft-abarth-mime-sniff-00
0
Gervase
6/29/2009 6:39:31 PM
After reading the specs, it is clear that the main aim is to prevent
executable code within HTML files.  I do agree that CSP enables web
developers to create more secure websites. In my view there is one
problem:

How is CSP going to prevent lousy web developers to include all their
dynamic content in Javascript files? I see a risk that webdevelopers
create empty HTML files and include all the content in generated
javascript files. (maybe future versions of web-frameworks will
support CSP like this??). In these situation CSP more or less shifted
the problem from *.html to *.js files.

Should we consider this situation? Or should we just ignore web
developers that do not understand the web standards?
To prevent this we should have some requirements about the static
nature of the js files. One mechanism that might implement this is
adding requirements for static js files by requiring code-signed
javascript files (is this possible at the moment?
http://www.mozilla.org/projects/security/components/signed-scripts.html
describes signed scripts, however it requires the creation of a
*.jar). In such a situation code signed javascript should be signed by
an offline key.
0
pceelen
7/1/2009 6:17:04 AM
pceelen wrote:
> To prevent this we should have some requirements about the static
> nature of the js files. One mechanism that might implement this is
> adding requirements for static js files by requiring code-signed
> javascript files (is this possible at the moment?
> http://www.mozilla.org/projects/security/components/signed-scripts.html
> describes signed scripts, however it requires the creation of a
> *.jar). In such a situation code signed javascript should be signed by
> an offline key.

There is no cross-browser support for signed javascript. With the
current CSP the site will work perfectly well in browsers that don't
support CSP. CSP is already asking site authors to do a lot of work, but
since it works in all browsers sites can transition slowly (such as
writing new content to that standard, leaving old content alone). If CSP
requires separate content for CSP-supporting browsers it will never fly.
0
Daniel
7/6/2009 5:36:12 PM
On Jul 6, 10:36=A0am, Daniel Veditz <dved...@mozilla.com> wrote:
> There is no cross-browser support for signed javascript. With the
> current CSP the site will work perfectly well in browsers that don't
> support CSP. CSP is already asking site authors to do a lot of work, but
> since it works in all browsers sites can transition slowly (such as
> writing new content to that standard, leaving old content alone). If CSP
> requires separate content for CSP-supporting browsers it will never fly.

I completely agree upon the backwards compatibility arguments, however
my original post was not about signed JS. It was more or less a
suggestion for a solution.
In my original post I tried to address the problem of a shift from XSS
in *.html to XSS in *.js. What if webdevelopers
create empty HTML files and include all the content in generated
javascript files?
 1: Should we consider this situation?
 2: Do you agree with this risk/problem or is it unlikely that it will
happen?
 3: Are there any other technical solution to prevent/mitigitate this
risk?

In the current specs it appears that we are more or less assuming that
js files are more or less static...
0
pceelen
7/7/2009 6:25:28 AM
Reply:

Similar Artilces:

Why is it an error to have both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only ?
https://wiki.mozilla.org/Security/CSP/Spec#Report-Only_mode If both a X-Content-Security-Policy-Report-Only header and a X-Content-Security-Policy header are present in the same response, a warning is posted to the user agent's error console and any policy specified in X-Content-Security-Policy-Report-Only is ignored. The policy specified in X-Content-Security-Policy headers is enforced. Why is this? This seems like an unnecessary burden which prevents groups from tightening their security policies over time. For example, here at Google, I'm interested in helping resol...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

Mixed Secure and Non Secured Content
I didn't get a feel for how safe SSL pages are that contain both secure and non secured content. If a page contains both is the secured content (say a form or password entry) safe? John John Pearce wrote: >I didn't get a feel for how safe SSL pages are that contain both secure >and non secured content. If a page contains both is the secured content >(say a form or password entry) safe? Depends on what's secure and what isn't. For example, if it's just graphics that are insecure, you're fine. It's the code itself (HTML plus possibly...

Content Security Policy feedback
Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] and I wanted to provide some feedback. (1) Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version. By having the browser send an additional header, it allows the server to make decisions about the browser, such as limiting access to certain resources, denying access, redirecting to an alternate site that tries to mitigate using other techniques, etc. Without the browser advertising if it will...

Content Security Policy updates
Sid has updated the Content Security Policy spec to address some of the issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec You can see the issues we've been tracking and the resolutions at the Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec There are still a few open issues. Daniel Veditz wrote on 7/23/2009 10:32 AM: > Sid has updated the Content Security Policy spec to address some of the > issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec Under "Policy Refinements with a Multiply-Specified Header" there is a misspe...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Web resources about - Content Security Policy discussion (link) - mozilla.dev.security

Wikipedia:Arguments to avoid in adminship discussions - Wikipedia, the free encyclopedia
This is intended as a guide to getting the most out of the request for adminship (RfA) procedure. It is not intended to be binding policy, nor ...

‘Rush’ Director Ron Howard, Star Chris Hemsworth To Participate In Live Interactive Discussion On Facebook ...
Rush director Ron Howard and star Chris Hemsworth will partake in a live interactive discussion on the film’s Facebook page this Sunday at 4:35 ...

Ms. Magazine - "Hobson sparks a discussion among other pop... - Facebook
"Hobson sparks a discussion among other pop culture critics about female empowerment, combining feminism and 'traditional' roles, and the 'politics ...

[...] Discussion in Facebook Groups and Pages is Public and Searchable, Inside Facebook [...]
While discussion on Facebook Pages has always been publicly accessible to the world and indexed by search engines like Google, wall posts and ...

Front - The best stories and discussions in Kinja
The best stories and discussions in Kinja

Through The Fence Baseball - Baseball news, discussion, rumors, and stats from around MLB.
The 2013 MLB draft is a little less than three months away. With the college season in full swing, and the high school season just starting out ...

Neuromarketing Expert Discussion Group - Conflict-Free
Counter the biggest LI neuromarketing group, this group is strictly business conflict-free and agnostic about methodologies and technologies. ...

#Techonomy2015 discussion at minute 20 in the video: http://techonomy.com/conf/te15/videos-human-val ...
jurvetson posted a photo: Are we optimizing the future? The Techonomy2015 discussion with Jaron Lanier and Sir Colin Blakemore. We begin the ...

Malcolm Turnbull should shut down the discussion about raising GST
A change of leader plus the upcoming summer break make it a good time to dump unsuitable policies - like the proposal to increase the rate of ...

“Repugnant” online discussions are not illegal thoughtcrime, court rules
Gilberto Valle. Fantasizing online about kidnapping, sexually abusing, and eating women does not amount to unlawful conduct or thoughtcrime, ...

Resources last updated: 12/11/2015 8:19:14 AM