[whatwg] CSP feedback

[Rob Levin]

Hello,

 

I posted this to the whatwg forums last week, and was advised to post to the
mailing list.  Here goes.

 

 

I've been thinking for some time about XSS attacks and ways to mitigate
them, and two observations struck me:

 

(1) XSS attacks nearly always occur in the <body> block of a html document,
and not the <head> block. This is because the attack surface of the <body>
is generally larger than the <head> block, and user-generated content is
usually (but not always) placed in the <body> of a document.

 

(2) With the rise of Javascript frameworks like JQuery, it is becoming best
practice to separate the code from the content. All legitimate code can be
placed in the <head> block without too much effort, for many sites.

 

So I came to the conclusion that adding a simple html mechanism to allow an
author to tell a user-agent that scripts should only be executed from the
<head> block would give a powerful weapon to authors to prevent XSS
exploits. Authors would write their own scripts, include them in their
<head> block, and instruct the user-agent that any scripts in the <body>
block should be ignored. This would be easy implement on the user-agent side
and easy to use on the author side. And it would degrade gracefully in older
user-agents.

 

Excited with this idea, I set out to find the right people to contact to get
this moving, which eventually led me to WHATWG. I did some research on the
mailing list archives, and realised that other people have had my ideas
first (many years ago), and are well on the way to implementing them. Oh
well, never mind! So I've read about sandboxing on IFrames, and the CSP
unofficial draft, and clearly these efforts are solving bigger problems in a
more comprehensive way, which largely encompass my ideas. Well done to all
involved on these major efforts.

 

But... there are a few things that strike me.

 

 

Firstly, whatever is done to mitigate XSS should be really really simple to
use and understand by authors. I'm not sure that CSP hits the sweet spot
between usability and security; I am worried it is going to be too difficult
to use for the mass market, and hence fail in part of its mission.

 

For me, the instruction to inform a user-agent that a script should be
ignored in the body should look something like:

 

<head>

<security request="NoBodyScripts"></security>

</head>

 

 

this would be intuitive to most authors, and would stop an awful lot of
attacks.

 

How can I achieve the same effect with CSP? I may have it wrong, but the
only way I can see to implement this with CSP would be to do something like:

 

<head>

<meta http-equiv="X-Content-Security-Policy" script-nonce="[a strong dynamic
random token]">

</head>

 

...and include this nonce with every script on the page.

 

 

Secondly, creating and implementing a protocol such as CSP is only part of
the story to really eliminate XSS in the wild. The social aspect needs to be
thought through. I think the best way to encourage authors to use it would
be to show some consistent visual feedback given to users that their site
has implemented "Web Security" and that the user-agent is enforcing it. This
would then start a virtuous feedback cycle where more sites implement the
security, putting pressure on more user-agents to implement it etc.

 

Users are already used to a padlock symbol showing a secure socket
connection; a similar common symbol could be recommended to user-agents to
display to users when CSP is invoked. This should be part of the spec, in my
opinion.

 

thanks,

-rob