CSPs for opaque-origin subresources #651
Comments
|
/cc @mikewest here as well in case he wants to share more thoughts (or wants to add others here). It looked you're roughly on board when this was discussed on other thread but I might be misreading something! |
|
I think this is a reasonable approach conceptually. Practically, I'm not at all sure how to integrate this into the CSP spec, however. We currently hook into Fetch, and examine the request's URL to determine whether it matches the page's policy. Do y'all have ideas about how you'd pipe through a concept of the request's URL's physical location in the webpackage case? Is this something for which you've already through about infrastructure? Similar questions will, I'm sure, come up during implementation... (See step 6 of main fetch, for example, which pushes through to https://w3c.github.io/webappsec-csp/#should-block-request, and eventually https://w3c.github.io/webappsec-csp/#match-url-to-source-expression after a bit of indirection) |
|
I created a Chromium CL: https://crrev.com/c/2886721 I don't have concrete idea of how to integrate into the spec yet. But when we will convert the explainer to a specification, we will lookup the |
This monkeypatches the CSP spec to use the source bundle's URL instead of uuid-in-package: URLs for matching. References: WICG#651 https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading-opaque-origin-iframes.md#content-security-policy-csp-for-uuid-in-package-resources
This monkeypatches the CSP spec to use the source bundle's URL instead of uuid-in-package: URLs for matching. References: #651 https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading-opaque-origin-iframes.md#content-security-policy-csp-for-uuid-in-package-resources
The interaction of Content Security Policy (CSP) and the urn:uuid web bundle subresources is not ideal. Imagine a site that configures a CSP:
Now they want to run
urn:uuidscripts from the bundle (ex: #624). This will look like:As implemented in the current origin trial, if they want to continue to use a url-based policy and allow the script to execute they must open up their CSP to urn:uuid resources:
Unfortunately, the CSP is now mostly useless. An attacker who can inject content into the page can do:
Even if we change subresource bundles from
<link>to<script>(#580) there's the same issue for other types of resource. For example, if a site hasframe-src 'self'they can't use subresource bundles, and if they openframe-srcto allowurn:uuid:*they've opened the door to frames from any origin.A related, but less severe, issue is that adopting subresource bundles requires CSP changes when it arguably shouldn't. For example, imagine a site that trusts ads.example to show ads on their page, and so has the CSP:
When
ads.exampletries to run a script from aurn:uuidsubresource or use aurn:uuidsubresource to create an ad iframe, it will be blocked. While this site has already indicated that they want to allow running JS and iframes loaded fromads.example, the current spec would require them to update their CSP to load them via bundles.Unlike other opaque-origin resources like data: or blob:, which are directly under the control of the containing page, a
urn:uuidsubresource is a reference to a component of something with a globally-accessible URL. One way to fix these issues withurn:uuidsubresources loaded from bundles, then, would be to evaluate the CSP restrictions against the source of the bundle instead of to the literalurn:uuidurl. This would allow a site with:to run:
without allowing:
We propose applying this to CSP directives concerning the URL only. For example, a site using a nonce-based policy would still put the nonce on the script element:
When loading any other resources from a bundle, either ones for which the bundle is authoritative or through some future mechanism like embedded signed exchange, this indirection would not apply.
The text was updated successfully, but these errors were encountered: