Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

shouldLoad( ) and shouldProcess( )

38 views
Skip to first unread message

jeremy...@gmx.ch

unread,
Mar 18, 2013, 12:14:50 PM3/18/13
to
Hello together,

I know that I can block external sources like images, scripts, styles etc. by checking their origin in shouldLoad() of nsIContentPolicy.

However, inline scripts are not "loaded" so this method doesn't apply. My questions are:

1.) Do I have to use shouldProcess() to check inline scripts?

2.) For what types is shouldProcess() used after all? Same as shouldLoad()? While shouldLoad() is quite clear I didn't fully understand the meaning of shouldProcess().


The intention behind these questions is that I want to send an identifier for some inline script tag via a new CSP rule, check if an existing inline script tag owns this identifier and allow its execution only in this case.

Best Regards,
Jeremy

Boris Zbarsky

unread,
Mar 18, 2013, 12:55:57 PM3/18/13
to mozilla-de...@lists.mozilla.org
On 3/18/13 12:14 PM, jeremy...@gmx.ch wrote:
> 1.) Do I have to use shouldProcess() to check inline scripts?

In theory, yes. In practice, it may not get called for inline scripts.

> 2.) For what types is shouldProcess() used after all? Same as shouldLoad()? While shouldLoad() is quite clear I didn't fully understand the meaning of shouldProcess().

You're not the only one. ;)

In theory, anything that gets "processed" should call shouldProcess
before doing so... That would tend to include most things that go
through shouldLoad, but perhaps not all (e.g. clicking a link would do a
shouldLoad(), but if it comes back content-disposition:attachment
arguably shouldn't shouldProcess).

-Boris

jeremy...@gmx.ch

unread,
Mar 19, 2013, 4:12:43 AM3/19/13
to
Thanks Boris, but what does that mean for me now?

Repeating my intention "that I want to send an identifier for some inline script tag via a new CSP rule, check if an existing inline script tag owns this identifier and allow its execution only in this case" I still ask myself: can I use shouldProcess() for this?

Besides, you write that in some cases it might not get called for inline scripts. Could you please explain these cases?

Regards,
Jeremy

Boris Zbarsky

unread,
Mar 19, 2013, 8:43:04 AM3/19/13
to mozilla-de...@lists.mozilla.org
On 3/19/13 4:12 AM, jeremy...@gmx.ch wrote:
> Thanks Boris, but what does that mean for me now?
>
> Repeating my intention "that I want to send an identifier for some inline script tag via a new CSP rule, check if an existing inline script tag owns this identifier and allow its execution only in this case" I still ask myself: can I use shouldProcess() for this?

I don't know. Have you checked whether ShouldProcess is called for
inline scripts?

> Besides, you write that in some cases it might not get called for inline scripts. Could you please explain these cases?

No, I wrote that it may not get called for them. Like at all, not in
some cases. I certainly see no indication that it is, but maybe it's
done in some roundabout way I'm missing.

-Boris

Ian Melven

unread,
Mar 19, 2013, 11:51:13 AM3/19/13
to jeremy ralegh, dev-se...@lists.mozilla.org

I think it would make more sense to use nsIContentSecurityPolicy's allowsInlineScript for this
as I pointed at earlier

your intention sounds along the lines of the proposed script-nonce/script-hash directive for CSP 1.1,
although i don't think you've mentioned what identifier you're going to use :)

ian
_______________________________________________
dev-security mailing list
dev-se...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

jeremy...@gmx.ch

unread,
Mar 27, 2013, 7:32:39 AM3/27/13
to
Thanks for your feedback. You comments have helped.

@Ian: I'm following the nonce idea.

Do you know, how far work has already gone in this direction? Has anyone published implementation details or is this just an idea at the moment?

Regards,
Jeremy

Ian Melven

unread,
Mar 27, 2013, 12:31:56 PM3/27/13
to jeremy ralegh, Tanvi Vyas, dev-se...@lists.mozilla.org

Hi Jeremy,

i guessed (hoped?) that might be what you were working on ! :)

i'm not aware of any implementations of script-nonce yet - there's been
quite a bit of discussion on it (especially the syntax has been discussed
recently) within the W3C WebAppSec WG.

also, i filed https://bugzilla.mozilla.org/show_bug.cgi?id=855326 - feel free to use
it to track your work and especially get feedback on patches there

script-hash has also been discussed - as I understand it, there's use cases that favor
script-nonce and use cases that favor script-nonce. Maybe Tanvi can chime in here with more details :)

also see these threads if you haven't :

http://lists.w3.org/Archives/Public/public-webappsec/2013Mar/0009.html
http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0003.html
http://lists.w3.org/Archives/Public/public-webappsec/2013Mar/0058.html

which have a lot of the previous discussion.

Thanks for working on this !

cheers,
ian


----- Original Message -----
From: "jeremy ralegh" <jeremy...@gmx.ch>
To: dev-se...@lists.mozilla.org
Sent: Wednesday, March 27, 2013 4:32:39 AM
Subject: Re: shouldLoad( ) and shouldProcess( )

jeremy...@gmx.ch

unread,
Mar 27, 2013, 1:50:18 PM3/27/13
to
Hi Ian,

yes I'm working on it. I just tend to avoid double work and write something that has might have already been published and that I weren't aware of :-)
And thanks for the links.

Jeremy
0 new messages