Tools and documentation for filtering CSP reporting
46 views
Skip to first unread message
Joel Weinberger
Feb 17, 2015, 3:20:36 PM2/17/15
to security-dev, Devdatta Akhawe
Recently, Dev Akhawe told me that, from his perspective, the biggest barrier to adoption of CSP is how much cruft comes through with reporting turned on. At Dropbox, he has to do extensive filtering to get out all the false positives to make any substantial use of CSP (because of extensions and similar things violating the page's policy). He suggested that Chrome should make some documentation or at least recommendations on how to do filtering properly.
Is there anyone out there with any experience with this kind of filtering that might be able to take the lead on this? I, frankly, wouldn't even know where to begin, but I'm definitely sympathetic to the problem.
--Joel
phil...@google.com
Feb 17, 2015, 3:28:38 PM2/17/15
to securi...@chromium.org, akh...@dropbox.com
There was a presentation at THREADS 2014 which might have some useful information to incorporate in any such guidance:
https://vimeo.com/album/3063779/video/114392854
https://vimeo.com/album/3063779/video/114392854
Alex Gaynor
Feb 17, 2015, 3:33:35 PM2/17/15
to phil...@google.com, security-dev, akh...@dropbox.com
We've aggregated some info about how various folks are doing this, including Twitter here: https://github.com/GSA/https/issues/11
Alex
On Tue, Feb 17, 2015 at 3:28 PM, <phil...@google.com> wrote:
There was a presentation at THREADS 2014 which might have some useful information to incorporate in any such guidance:
https://vimeo.com/album/3063779/video/114392854
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
Craig Francis
Feb 18, 2015, 4:52:25 AM2/18/15
to Joel Weinberger, security-dev, Devdatta Akhawe
On 17 Feb 2015, at 20:20, Joel Weinberger <j...@chromium.org> wrote:
Recently, Dev Akhawe told me that, from his perspective, the biggest barrier to adoption of CSP is how much cruft comes through with reporting turned on. At Dropbox, he has to do extensive filtering to get out all the false positives to make any substantial use of CSP (because of extensions and similar things violating the page's policy). He suggested that Chrome should make some documentation or at least recommendations on how to do filtering properly.
Have you looked at the "source-file" value in the report?
I think this is fairly new, and seems to be missing in most cases (I have reporting disabled most of the time, due to the number of false positives, so I'm only looking at 100 reports from the last few minutes).
But when you have a typical extension doing its thing (in my case it seems to be malware type extensions trying to insert adverts onto the page, or supposed security products "checking" your passwords), you might be able to identify that... for example:
But having said that, most still look like the following (the next report from the same browser, which was Chrome 40.0.2214.111):
Craig
I think this is fairly new, and seems to be missing in most cases (I have reporting disabled most of the time, due to the number of false positives, so I'm only looking at 100 reports from the last few minutes).
But when you have a typical extension doing its thing (in my case it seems to be malware type extensions trying to insert adverts onto the page, or supposed security products "checking" your passwords), you might be able to identify that... for example:
blocked-uri:
column-number: 45835
document-uri: https://example.com/
effective-directive: style-src
line-number: 2
original-policy: default-src ...
referrer:
source-file: chrome-extension://mkfokfffehpeedafpekjeddnmnjhmcmk
status-code: 0
violated-directive: style-src 'self'
But having said that, most still look like the following (the next report from the same browser, which was Chrome 40.0.2214.111):
blocked-uri: https://nikkomsgchannel
document-uri: https://example.com/
effective-directive: connect-src
original-policy: default-src ...
referrer: https://example.com/
status-code: 0
violated-directive: connect-src 'self'
Craig
Devdatta Akhawe
Feb 18, 2015, 12:32:46 PM2/18/15
to Craig Francis, Joel Weinberger, security-dev, Devdatta Akhawe
Hey
Yeah, the source-file directive works well, but only seems to come up
when inline scripts/styles are blocked.
This is exactly the sort of knowledge that should be available
somewhere and my suggestion to Joel was basically that similar to how
the Chrome team is evangelizing HTTPS everywhere, it is also in the
perfect position to evangelize this knowledge for CSP adoption. I am
also hoping to compile together some of the things I have learnt and
post them somewhere soon.
cheers
Dev
Yeah, the source-file directive works well, but only seems to come up
when inline scripts/styles are blocked.
This is exactly the sort of knowledge that should be available
somewhere and my suggestion to Joel was basically that similar to how
the Chrome team is evangelizing HTTPS everywhere, it is also in the
perfect position to evangelize this knowledge for CSP adoption. I am
also hoping to compile together some of the things I have learnt and
post them somewhere soon.
cheers
Dev
Joel Weinberger
Feb 19, 2015, 4:29:38 PM2/19/15
to Devdatta Akhawe, Craig Francis, security-dev, Devdatta Akhawe
I'm certainly happy to put together a Wiki article on chromium.org with these types of suggestions, and maybe we can also put together an html5rocks.com article at some point. Dev, if at some point you can get me your suggestions, I can start putting together a wiki article with some of this content.
--Joel
> email to security-dev+unsubscribe@chromium.org.
Devdatta Akhawe
Feb 19, 2015, 7:43:35 PM2/19/15
to Joel Weinberger, Craig Francis, security-dev
well, for one, you can add "ignore superfish.com reports" ...
>> > email to security-dev...@chromium.org.
Reply all
Reply to author
Forward
0 new messages