Closed weizman closed 1 year ago
858059e is a big one (with e19c70e also):
unsafe-{inline/eval}
.onsecuritypolicyviolation
event to learn of CSP violations, and if any occurred, to populate that to the webdriver test to determine if the CSP violation was a correct defense attempt against Snow bypass.document.write
is called, which is a common technique to attempt to bypass Snow in the tests. For those that specifically use document.write
, we first call a dedicated function to tell us if such an operation would even work with current CSP. If not, we consider the test as passed.In 60dfa89 we discover some FF issues that seem to be bigger than this change. This makes it even clearer that in addition to the decided CSP above we should introduce object-src 'none'
also, as object
is a problematic one and also shouldn't be used by websites really
Continuing https://github.com/LavaMoat/snow/pull/118#issuecomment-1629379581, in 20aae8b we introduce CSP support for object-src too
tl;dr
unsafe-inline
is not allowed!script-src
directive to anything as long as it doesn't include the phraseunsafe-inline
object-src
toself
is not allowed!object-src
directive to anything as long as it doesn't include the phraseself
Motivation
unsafe-inline
&unsafe-eval
- These 2 are allowing most of the vulns that are too hard to patch, string-JS based attacks are difficult to hermetically defend against.object-src
-object
s andembed
s are also very problematic in their behaviour around contentWindow access and load event emittersIn this PR
script-src 'self'; object-src 'none';
securitypolicyviolation
event in all realms by defaultdocument.body.innerHTML = '<iframe src="javascript:alert()" />'
will pass withCSP-script-src-elem
detecteddocument.write
we have to integrate a static check instead of expecting the event listener to fire - this is becausedocument.write
kills event listeners on the document by definition, includingsecuritypolicyviolation
example.com
as the same origin to a new apphttps://weizman.github.io/CSPer/
which accepts a query paramcsp
and sets its value as the CSP of the document using themeta
tag.Notes
facebook.com
want to use Snow, provide them with an easy way to take their current CSP and test it with Snow's current tests to see if it cuts it.unsafe-inline
andunsafe-eval
attacks; (3) forbidobject-src
by pointing it to eithernone
or to any domain that isn't the same domain as your app