One way to address nonce exfiltration would be to hide the nonce from the DOM. I have some ideas about how we might go about doing that; I'll prototype some things here, poke at them in Canary, and then bring them to webappsec for wider discussion.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d6fffa909e840af681a223f53a2c19dd80942a2d commit d6fffa909e840af681a223f53a2c19dd80942a2d Author: mkwst <mkwst@chromium.org> Date: Thu Jan 12 16:15:47 2017 Experiment with hiding <script>'s 'nonce' content attribute. Nonces are valuable, as they allow script execution. It would be lovely if we could raise the bar on exfiltration to reduce the effectiveness of some of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php. One mechanism that might be effective against some kinds of exfiltration is to stop treating the 'nonce' content attribute as the source of truth, instead pulling the nonce value into an internal slot on the HTMLScriptElement at parse-time. That prevents exfiltration via attribute leakage, mitigating the effect of vectors like `[nonce^=ab]` and `content: attr(nonce)` (http://cspnonce-test.appspot.com/exploit?reset=1 and http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also clear the nonce after use ("number used _once_", right?) which mitigates the style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html (though that specific issue is also resolved by fixing the browser bug in https://codereview.chromium.org/2618323002). Here, we're replacing the nonce content attribute with '[Replaced]', as that gives developers a hint at what's going on (e.g. in devtools), but we could pretty easily drop that in the future and just make it a devtools feature entirely. Not sure what the right thing to do is.. This prototype just effects `<script>`; once we decide on reasonable behavior, we can extend it to `<link>` and `<style>`. BUG=680419 Review-Url: https://codereview.chromium.org/2628733005 Cr-Commit-Position: refs/heads/master@{#443252} [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/LayoutTests/W3CImportExpectations [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/LayoutTests/fast/dom/element-attribute-js-null-expected.txt [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/LayoutTests/fast/dom/element-attribute-js-null.html [add] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/dom/ScriptLoader.cpp [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/dom/ScriptLoaderClient.h [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/html/HTMLScriptElement.cpp [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/html/HTMLScriptElement.h [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/html/HTMLScriptElement.idl [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/svg/SVGScriptElement.cpp [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/core/svg/SVGScriptElement.h [modify] https://crrev.com/d6fffa909e840af681a223f53a2c19dd80942a2d/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3472bffad91d597a52c92e7e9f4812608d7a9130 commit 3472bffad91d597a52c92e7e9f4812608d7a9130 Author: tkent <tkent@chromium.org> Date: Wed Jan 18 01:30:17 2017 Re-import wpt/html/dom/reflection-misc.html TBR=mkwst@chromium.org NOTRY=true BUG=680419 Review-Url: https://codereview.chromium.org/2639773002 Cr-Commit-Position: refs/heads/master@{#444229} [modify] https://crrev.com/3472bffad91d597a52c92e7e9f4812608d7a9130/third_party/WebKit/LayoutTests/W3CImportExpectations
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a7a3f277b70327d2fd2f383acba1b1c2c78f018c commit a7a3f277b70327d2fd2f383acba1b1c2c78f018c Author: mkwst <mkwst@chromium.org> Date: Fri Jan 20 14:28:58 2017 Adjust the <script nonce>-hiding experiment After a bit more conversation, this patch follows up on the initial stab at attribute changes in https://codereview.chromium.org/2628733005 in two ways: 1. It fixes some bits and pieces of SVGScriptElement handling that were simply broken in the initial patch (e.g. the 'nonce' attribute wasn't actually exposed via IDL), and adds SVG-based tests. 2. We no longer clear the nonce value after execution; we're already preventing re-execution of a script block with a check in 'ScriptLoader::prepareScript' so there's little added value in removing the nonce, but it incurs some non-trivial cost by making manual nonce propagation difficult. BUG=680419 R=jochen@chromium.org Review-Url: https://codereview.chromium.org/2644143005 Cr-Commit-Position: refs/heads/master@{#445049} [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/dom/ScriptLoader.cpp [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/dom/ScriptLoaderClient.h [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/html/HTMLScriptElement.cpp [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/html/HTMLScriptElement.h [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/svg/SVGScriptElement.cpp [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/svg/SVGScriptElement.h [modify] https://crrev.com/a7a3f277b70327d2fd2f383acba1b1c2c78f018c/third_party/WebKit/Source/core/svg/SVGScriptElement.idl
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/23cd806334edf349b4371e63f231bc1361fe0a08 commit 23cd806334edf349b4371e63f231bc1361fe0a08 Author: mkwst <mkwst@chromium.org> Date: Tue May 16 21:00:16 2017 Move `<script nonce>` hiding to `Element`. We're evaluating a different approach to hiding the `nonce` content attribute, moving the behavior change up to `HTMLElement` and `SVGElement` rather than placing it on `{HTML,SVG}{Script,Style}Element`. This patch adds `nonce` to `ElementRareData` in order to support that approach, and wires up a new `NoncedElement` interface to the new properties. Still behind a flag while we're working out details. Intent to Implement and Ship: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/wu_fMIYkyaQ/85j16Cg6BAAJ BUG=680419 Review-Url: https://codereview.chromium.org/2801243002 Cr-Commit-Position: refs/heads/master@{#472215} [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden-meta.html [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden.html [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden.html.headers [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/html/dom/reflection-metadata-expected.txt [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/external/wpt/html/dom/reflection-misc-expected.txt [delete] https://crrev.com/febe5cb69cb8c121f2f95f3ec5fb81474958e992/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload-disabled/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/webexposed/element-instance-property-listing-expected.txt [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/core_idl_files.gni [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/Element.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/Element.h [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/ElementRareData.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/ElementRareData.h [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/MockScriptElementBase.h [add] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/NoncedElement.idl [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/ScriptElementBase.h [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/ScriptLoader.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/dom/StyleElement.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/HTMLElement.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/HTMLElement.h [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/HTMLElement.idl [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/HTMLScriptElement.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/HTMLScriptElement.h [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/HTMLScriptElement.idl [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/html/LinkResource.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/svg/SVGElement.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/svg/SVGElement.idl [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/svg/SVGScriptElement.cpp [modify] https://crrev.com/23cd806334edf349b4371e63f231bc1361fe0a08/third_party/WebKit/Source/core/svg/SVGScriptElement.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e82f2876b31f32df8a61edc4e5e9935efc54e46b commit e82f2876b31f32df8a61edc4e5e9935efc54e46b Author: Mike West <mkwst@google.com> Date: Wed May 24 14:26:26 2017 Update tentative nonce-hiding tests. Bringing them in line with what we're discussing in https://github.com/whatwg/html/pull/2373. Bug: 680419 Change-Id: I23ffc4fb32c876e0f622f2c50561c2b686360a61 Reviewed-on: https://chromium-review.googlesource.com/513924 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Philip Jägenstedt <foolip@chromium.org> Cr-Commit-Position: refs/heads/master@{#474281} [modify] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG [delete] https://crrev.com/5cf9bd2b9e7713034d798e6aed304124d9a694fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden.html.headers [rename] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.html [rename] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html [rename] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers [rename] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.html [rename] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html [copy] https://crrev.com/e82f2876b31f32df8a61edc4e5e9935efc54e46b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/afc52f4ebf737fb545461fa2a5041d8ce08f5386 commit afc52f4ebf737fb545461fa2a5041d8ce08f5386 Author: Mike West <mkwst@chromium.org> Date: Fri May 26 15:58:00 2017 Update internal '[[CryptographicNonce]]' slot when parsing attributes. More discussion on https://github.com/whatwg/html/pull/2373 has lead to a shift in the implementation from doing everything at insertion time to updating the internal slot's value at attribute-parse time. This patch updates both the tests and implementation. It should also bring `dromaeo.domcoremodify` back up a bit from the drop we experienced after landing the previous pass at this functionality. Bug: 680419, 724099 Change-Id: I93e7880c94889fb8cd04dec5c639fe52105b091a Reviewed-on: https://chromium-review.googlesource.com/517064 Reviewed-by: Jochen Eisinger <jochen@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#475014} [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.html [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.tentative.html [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/LayoutTests/external/wpt/html/dom/reflection-metadata-expected.txt [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/LayoutTests/external/wpt/html/dom/reflection-misc-expected.txt [modify] https://crrev.com/afc52f4ebf737fb545461fa2a5041d8ce08f5386/third_party/WebKit/Source/core/html/HTMLElement.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7bcb9ee52f2600bafddabaed884ccfea52916753 commit 7bcb9ee52f2600bafddabaed884ccfea52916753 Author: Mike West <mkwst@chromium.org> Date: Mon Jun 12 11:15:02 2017 Ship `nonce` attribute hiding behavior. Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/wu_fMIYkyaQ/85j16Cg6BAAJ Bug: 731752 , 680419 Change-Id: I250e03b2fb614a21a2b7eb1a27b7a11a746e6fc8 Reviewed-on: https://chromium-review.googlesource.com/529249 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#478590} [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload-disabled/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/virtual/stable/webexposed/element-instance-property-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/Source/core/dom/NoncedElement.idl [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/Source/core/svg/SVGScriptElement.idl [modify] https://crrev.com/7bcb9ee52f2600bafddabaed884ccfea52916753/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/537717e4ad08bb1b4ed04780f0b5038d5669aefe commit 537717e4ad08bb1b4ed04780f0b5038d5669aefe Author: Mike West <mkwst@chromium.org> Date: Sun Nov 19 16:01:36 2017 Add custom element event tests for CSP nonce hiding. Basically copy-pasting from Anne's suggestions at https://github.com/whatwg/html/pull/2373#issuecomment-332503536 Bug: 680419 Change-Id: I9fee18d46dc00ff3ec8ec90f3d8acd80ab015622 Reviewed-on: https://chromium-review.googlesource.com/771151 Reviewed-by: Andy Paicu <andypaicu@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#517734} [modify] https://crrev.com/537717e4ad08bb1b4ed04780f0b5038d5669aefe/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html
Comment 1 by bugdroid1@chromium.org
, Jan 12 2017