Security: CSP Header handling in Chrome requires unsafe practices
Reported by
rene.sch...@gmail.com,
Jan 30 2017
|
|||
Issue descriptionVULNERABILITY DETAILS The Content security policy (CSP) header is incorrectly inherited for loaded resources like Javascript, which requires opening up the policy more than required. An example is CKEditor. It currently requires unsafe-eval and unsafe-inline (depending on plugins used). In the current version of Chrome, to make this work, the HTML document also requires the same unsafe settings, which then apply to ALL loaded scripts. The correct handling, in my opinion, is to let the policy header of a resource loaded from the HTML page override the CSP settings (but only for that resource). So in effect, a single script might be allowed to use "unsafe-inline", while all other scripts might not. The same should be true for all other policies. Like, only a defined script on a specific URL might be allowed to to open a websocket, while all other scripts in the same page might not. Another example would be to allow a single javascript to load resources from another domain, while generally blocking it for the rest of the HTML page and all other javascripts loaded in the same document - or allowing different javascript access to different domains. For example, a script for Google Adwords will need access to Google servers (obviously), but shouldn't be able to access the domain where the HTML page is loaded from - even if the Adwords script is served from the same webserver as the HTML page. On the other hand, another script should be able to access the server that served the HTML page, but shouldn't be able to access the Google servers. VERSION Version 55.0.2883.87 (64-bit) Operating System: Xubuntu Linux 16.04 REPRODUCTION CASE The required code is too deeply integrated into my software. Here is the basic steps to reproduce: *) Make a HTML page that loads a Javascript file. *) Javascript should do an unsafe eval HTML page is deliveres with a CSP header like this: Content-Security-Policy: script-src 'self'; Javascript is delivered with a CSP header like this: Content-Security-Policy: script-src 'self' 'unsafe-eval'; Chrome should allow the unsafe eval to take place in the loaded Javascript, but not in the page. What really happens: You get a Javascript error because of the unsafe eval. Currently, two solution exist: 1) Rewrite the Javascript to not use unsafe-eval (not always possible, depending on available time, license and scope of project) 2) Allow the "unsafe-eval" on the CSP for the whole HTML page, which opens up additional security problems. (Yes, i am aware that this bug report, in all likelyhood, does not qualify for the bug bounty program).
,
Jan 30 2017
Removing security labels since as elawrence suggests this is a feature request for CSP. Punting over to mkwst for triage.
,
Feb 24 2017
I'm closing this as WontFix, not because it's a terrible idea, but because the right place to discuss cross-browser improvements to CSP is by filing an issue against https://github.com/w3c/webappsec-csp/issues. This in particular, though, is not something I'm terribly excited about at first glance. The security model we have today treats all script loaded into an origin as equivalent, and runs them in the same execution context with access to the same global. It's not clear to me that we can easily prevent one file from doing things another file has access to, because they're all mixed up together once execution begins (and can overwrite each other, use the same global pool of variables, etc). When you file the spec issue, it would be helpful for you to spell out in more detail how you'd address these kinds of questions. Thanks! |
|||
►
Sign in to add a comment |
|||
Comment 1 by elawrence@chromium.org
, Jan 30 2017