lgtm1
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
A little off topic, but how come the IDL tool did not notify about the missing nonce IDL attribute? Or did it and I just cannot find an issue for it?
Is the scenario here that someone has managed to inject malicious CSS onto the page, but no scripts? And that using CSP itself to plug that hole is not viable?
Are EdgeHTML and WebKit folks at all engaged with CSP, could you poke them for some kind of reaction?
On Tue, Apr 11, 2017 at 11:56 AM, Philip Jägenstedt <foo...@chromium.org> wrote:Is the scenario here that someone has managed to inject malicious CSS onto the page, but no scripts? And that using CSP itself to plug that hole is not viable?Correct. The scenario is a page with a CSP that prevents direct script execution via the usage of cryptographic nonces. An attacker can work their way around this protection by exfiltrating the nonce value via mechanisms like CSS attribute selectors, and then using that captured data in their injection.
Removing the data from areas accessible by things other than script seems like a reasonable approach to mitigating that risk.We also considered just changing CSS attribute selectors to block `nonce` attributes; that seemed wrong from a layering perspective, but also from a security perspective as we'd be changing each API piecemeal to block access to the attribute's data, which seems error-prone. Altering the attribute's behavior seemed like a more robust solution.
Are EdgeHTML and WebKit folks at all engaged with CSP, could you poke them for some kind of reaction?I've pinged folks from many vendors on the GitHub issue without much luck. I'll CC some folks directly here.
On Tue, Apr 11, 2017 at 5:53 PM Mike West <mk...@chromium.org> wrote:On Tue, Apr 11, 2017 at 11:56 AM, Philip Jägenstedt <foo...@chromium.org> wrote:Is the scenario here that someone has managed to inject malicious CSS onto the page, but no scripts? And that using CSP itself to plug that hole is not viable?Correct. The scenario is a page with a CSP that prevents direct script execution via the usage of cryptographic nonces. An attacker can work their way around this protection by exfiltrating the nonce value via mechanisms like CSS attribute selectors, and then using that captured data in their injection.How about using CSP nonce to lock down which stylesheets are loaded as well? Are there practical problems with deploying that, so that it comes very far down the list of priorities?
Removing the data from areas accessible by things other than script seems like a reasonable approach to mitigating that risk.We also considered just changing CSS attribute selectors to block `nonce` attributes; that seemed wrong from a layering perspective, but also from a security perspective as we'd be changing each API piecemeal to block access to the attribute's data, which seems error-prone. Altering the attribute's behavior seemed like a more robust solution.Yes, it does seem more robust.Are EdgeHTML and WebKit folks at all engaged with CSP, could you poke them for some kind of reaction?I've pinged folks from many vendors on the GitHub issue without much luck. I'll CC some folks directly here.Thanks, I didn't look at the issue. If we don't hear anything there or here within a few days, let's leave it at that.
On Tue, Apr 11, 2017 at 1:58 PM, Philip Jägenstedt <foo...@chromium.org> wrote:On Tue, Apr 11, 2017 at 5:53 PM Mike West <mk...@chromium.org> wrote:On Tue, Apr 11, 2017 at 11:56 AM, Philip Jägenstedt <foo...@chromium.org> wrote:Is the scenario here that someone has managed to inject malicious CSS onto the page, but no scripts? And that using CSP itself to plug that hole is not viable?Correct. The scenario is a page with a CSP that prevents direct script execution via the usage of cryptographic nonces. An attacker can work their way around this protection by exfiltrating the nonce value via mechanisms like CSS attribute selectors, and then using that captured data in their injection.How about using CSP nonce to lock down which stylesheets are loaded as well? Are there practical problems with deploying that, so that it comes very far down the list of priorities?Talk to aaj@ (CC'd!), who assures me that this is super-difficult because of inlined style attributes, and makes deployment inside Google impossible in the near term.
Removing the data from areas accessible by things other than script seems like a reasonable approach to mitigating that risk.We also considered just changing CSS attribute selectors to block `nonce` attributes; that seemed wrong from a layering perspective, but also from a security perspective as we'd be changing each API piecemeal to block access to the attribute's data, which seems error-prone. Altering the attribute's behavior seemed like a more robust solution.Yes, it does seem more robust.Are EdgeHTML and WebKit folks at all engaged with CSP, could you poke them for some kind of reaction?I've pinged folks from many vendors on the GitHub issue without much luck. I'll CC some folks directly here.Thanks, I didn't look at the issue. If we don't hear anything there or here within a few days, let's leave it at that.Perhaps this thread will kickstart that conversation! *shrug* I'm not excited about waiting too much longer. :)
On Tue, Apr 11, 2017 at 7:12 PM Mike West <mk...@chromium.org> wrote:On Tue, Apr 11, 2017 at 1:58 PM, Philip Jägenstedt <foo...@chromium.org> wrote:On Tue, Apr 11, 2017 at 5:53 PM Mike West <mk...@chromium.org> wrote:On Tue, Apr 11, 2017 at 11:56 AM, Philip Jägenstedt <foo...@chromium.org> wrote:Is the scenario here that someone has managed to inject malicious CSS onto the page, but no scripts? And that using CSP itself to plug that hole is not viable?Correct. The scenario is a page with a CSP that prevents direct script execution via the usage of cryptographic nonces. An attacker can work their way around this protection by exfiltrating the nonce value via mechanisms like CSS attribute selectors, and then using that captured data in their injection.How about using CSP nonce to lock down which stylesheets are loaded as well? Are there practical problems with deploying that, so that it comes very far down the list of priorities?Talk to aaj@ (CC'd!), who assures me that this is super-difficult because of inlined style attributes, and makes deployment inside Google impossible in the near term.Ah, so it's more difficult to get rid of all inline style than getting all scripts separated out. That makes sense.
On Tue, Apr 11, 2017 at 2:31 PM, Philip Jägenstedt <foo...@chromium.org> wrote:On Tue, Apr 11, 2017 at 7:12 PM Mike West <mk...@chromium.org> wrote:On Tue, Apr 11, 2017 at 1:58 PM, Philip Jägenstedt <foo...@chromium.org> wrote:On Tue, Apr 11, 2017 at 5:53 PM Mike West <mk...@chromium.org> wrote:On Tue, Apr 11, 2017 at 11:56 AM, Philip Jägenstedt <foo...@chromium.org> wrote:Is the scenario here that someone has managed to inject malicious CSS onto the page, but no scripts? And that using CSP itself to plug that hole is not viable?Correct. The scenario is a page with a CSP that prevents direct script execution via the usage of cryptographic nonces. An attacker can work their way around this protection by exfiltrating the nonce value via mechanisms like CSS attribute selectors, and then using that captured data in their injection.How about using CSP nonce to lock down which stylesheets are loaded as well? Are there practical problems with deploying that, so that it comes very far down the list of priorities?Talk to aaj@ (CC'd!), who assures me that this is super-difficult because of inlined style attributes, and makes deployment inside Google impossible in the near term.Ah, so it's more difficult to get rid of all inline style than getting all scripts separated out. That makes sense.Yes, this is the main practical problem. In many applications it's relatively easy to police inline scripts because of general code health reasons (e.g. at Google most JS has to be compiled); however, there are few such restrictions on inline styles so they proliferate and are harder to completely remove. Overall it is at least theoretically possible to use CSP to lock down sources of stylesheets and protect against nonce exfiltration with CSS, but it would add a lot of burden for developers and introduce a dependency on style-src in order for script-src to be effective, which would likely be fairly confusing.
Of course, Element vs. HTMLElement+SVGElement always feels a bit academic, because almost all instances of Element are HTML or SVG.
From reading https://github.com/whatwg/html/pull/2373, it sounds like discussion is still ongoing to some extent. I think it would be best to make changes only after consensus on the exact form of the change, including details like whether things are on the Element object (Boris objected quite strongly three messages ago in this thread, has that been resolved?)
and that other browsers would adopt whatever the consensus is.
On Thu, May 18, 2017 at 6:14 PM, Chris Harrelson <chri...@chromium.org> wrote:From reading https://github.com/whatwg/html/pull/2373, it sounds like discussion is still ongoing to some extent. I think it would be best to make changes only after consensus on the exact form of the change, including details like whether things are on the Element object (Boris objected quite strongly three messages ago in this thread, has that been resolved?)After a bit more back-and-forth last week, I think Boris and I have more or less agreed on the shape of the change to HTML. I have an updated patch outstanding, and though I'm sure I've gotten some details wrong, I think the final area of concern that we were discussing was the `DOMAttrModified` mutation event that Chrome doesn't implement. In short:
1. We add a `nonce` IDL attribute and corresponding internal slot to both `HTMLElement` and `SVGElement` (by having both implement a `NoncedElement` interface).
2. When a `nonce` content attribute is set (e.g. via `setAttribute`), we update the internal slot with its value.
3. When a `NoncedElement` is inserted into a document that had a CSP delivered via an HTTP header (but not a `<meta>` tag), we clear its `nonce` content attribute while leaving the internal slot intact.
This yields the behavior visible in the tentative tests upstreamed to https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding (and implemented in Canary behind a flag).and that other browsers would adopt whatever the consensus is.Can we weaken this requirement to "other browsers would not fundamentally object to the approach"? :)
I'll ping some folks directly in the hopes of getting feedback, but I believe that the approach bz and I are converging on is narrow-enough to substantially lower the compatibility risk. IMO, the possibility that we'll need to shift our implementation in minor ways order to increase interop at some point in the future is pretty clearly outweighed by the benefits of cutting off a class of side-channel attack on the `nonce` attribute today.
---mike
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DeB0MtnUmf79xBzOWSvnn1fyb-Cx7WnG7wJf%3DaS2sBagw%40mail.gmail.com.
---mike
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DeB0MtnUmf79xBzOWSvnn1fyb-Cx7WnG7wJf%3DaS2sBagw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-56-PBT5aVJp4Y2efRzUMg%3DPzAM4LysoRhW0iLSC6NLQ%40mail.gmail.com.