Open jmanico opened 2 years ago
For "non-related" development there is now opened separate issue #1958.
This issue is focusing only allow-list vs nonces in Content-Security-Policy.
As discussed here, it does not make sense to require it, but we can write recommendation for that.
I am sticking around. If you cannot stop being abusive, then I suggest you find somewhere else to donate your time. Being respectful is critical to a standard body and all technical comments are welcome.
I disagree Elar. I think your comments are downright abusive and it needs to stop.
This is not true, and it is pure demagogy. In another issue, you said that I didn't understand the topic, the same in the email, but at the end, you were the one, who did not read the issue (again) and failed to understand the topic. The summary is here: #1589 (comment)
Here, yes, you started the issue. The discussion here has been developing to the place, where it is.
From issue to issue you throw in comments, without reading and analyzing, what has been said before, causing noise in the issue, and then no one wants to dig through all the comments that are there.
If you think after all that behavior, that I'm the one who needs to change, then the result is quite simple - one of us will not continue as leader for ASVS.
As I listed above, strict-CSP is rather complex. I am happy to convert that into a series of requirements if I have your support for this @tghosth
I think specifying the use of the Strict CSP approach may ambiguous as there are different definitions/understandings of what the requirements are. For example, Google's definition here is at odds with the definition above. Notably, (as one example) it includes the use of unsafe-inline
which is ignored when nonces are supported (as such, I don't think it's necessarily appropriate to prohibit unsafe-inline
as a possible source when used alongside a strict policy).
If I am understanding correctly, I agree with @elarlang's direction abstracting from the specific directives/policies.
I think an allow-list approach would be appropriate requirement for initial level(s), but for L3 I think a more strict approach may be appropriate (as @jmanico noted, there is sufficient evidence on the allow-list approach failing due to insecure implementations). Here is a rough effort at generalizing these:
To put these into requirement form for suggestion (not suggesting level associations, however):
I used the term page
which I assume is appropriate for where this type of policy ought to be implemented. Other resources that do not embed content may use CSP differently. The 2. requirement necessarily follows the strict approach without dictating the method (nonce, hash, something else?) as it specifies that all loaded content must be trusted (not just content from trusted sources). Both 1. and 2. implicitly prevent the use of unsafe-inline
which is a method that fails to explicitly trust loaded content.
How about we get a little at least a little more specific. There are a limited number of ways to implement CSP.
So perhaps:
In my experience, using a strict CSP with either nonces or a watertight allow-list is really difficult for an existing application. Simply allow-listing the currently used domains is often not sufficiently secure, if those domains host other people's scripts or scripts that can be used as gadgets. Nonces don't work for event handlers, so in an existing application the developer has to rewrite all JavaScript event handlers. Slapping a header on an application is easy, but making an existing application work with a strict CSP is hard.
Caution AI content
I think copy/pasting AI-generated content is not helpful.
I suggest that mentioning the use of nonces or hashing with strict-dynamic (also know as “strict CSP”) is exactly what we should be suggesting.
I think the agreement thus far is to recommend this, but not require it. The quoted part is a bit ambiguous on what you think, @jmanico, so it does not really connect well to the discussion thus far. But from your last comment I gather you want to require a strict CSP, preferably with nonces or hashes. That is indeed more secure, but it is also an impossible amount of work for some existing applications. So I don't think requiring this for all applications is a good idea.
There are a lot of level 3 requirements that are difficult to implement. Strict-CSP is challenging to implement in some cases, but I still think we need to push in that direction since it’s the main way, statistically, to implement CSP with good security properties.
Again, many other level 3 requirements are very difficult to implement, that’s why they are level 3.
Instead of saying "Do not use 'unsafe-inline'" we should try to explain the goal of the restriction.
@elarlang I agree that setting out the goal of the requirement is key and ideally focusing the requirement around the goal rather than specific
- Verify for all pages that a Content Security Policy (CSP) is implemented to ensure the browser only loads/executes explicitly trusted content or content from trusted sources using one or a combination of allow lists, CSP-nonces or CSP-hashes.
- Verify for all pages that a Content Security Policy (CSP) is implemented to ensure the browser only loads/executes explicitly trusted content using CSP-nonces and/or CSP-hashes.
This definitely seems like the right direction to me @ryarmst @jmanico :)
Slapping a header on an application is easy, but making an existing application work with a strict CSP is hard. (@Sjord)
This is an important point but I also agree with @jmanico that L3 requirements are usually hard and that
I think copy/pasting AI-generated content is not helpful.
@jmanico I think I have to agree with this, the guidance tends to be a little unfocused unfortunately.
@Sjord @ryarmst @jmanico @elarlang:
@tghosth on your questions:
unsafe-inline
that could not be exploited (if there was a XSS vector). Because Allow-Lists are overall bypassable (93% bypassable) I want to make sure we encourage nonce/hash policies in a very strong way. I vote for L2. Also, CSP policies that try to prevent exfiltration are also weak, and the standard has moved away from trying to plug all the exfiltration vectors. I suggest we focus ASVS CSP requirements on just XSS/content injection defense.
I think having a best-effort CSP using allowlists should be L2, and having a watertight CSP using nonces should be L3.
I think script-src 'self'
can be part of a watertight CSP. Also, when there is an injection point inside a <script>
block, XSS is still possible even with nonces.
and the standard has moved away from trying to plug all the exfiltration vectors
@jmanico This sounds interesting, outside the context of this issue. Do you have additional information on this where I can read more about this?
Here is the research on CSP bypasses and similar.
https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation?slide=16 and https://speakerdeck.com/mikispag/defense-in-depth-techniques-for-modern-web-applications-and-googles-journey-with-csp-michele-spagnuolo-and-lukas-weichselbaum
.. even with a strict allow list, bypasses include: 1) JSONP endpoints 2) BASE tag jumping 3) Object-tag injection and more
I didn't really ask about CSP bypasses, but about exfiltration vectors. They talk about that in the presentation, but that's only focused on data exfiltration through JavaScript. It still seems valuable to prevent e.g. CSS injection to prevent exfiltrating the CSRF token.
Here's another interesting slide from the same presentation, which could help us determine which CSP directives to require at which levels:
However, I think their level 1 won't allow inline event handlers (i.e. <button onclick="...">
, so if an application has that it won't be that easy to deploy.
In general, the CSP standard body has stopped trying to prevent data exfiltration with CSP. There are just too many vectors. CSP is really about stopping the initial injection.
@jmanico Do you have a source for that? Some publication of the CSP standard body that confirms this?
@jmanico Do you have a source for that? Some publication of the CSP standard body that confirms this?
For sure. Let me do a little digging on this and I'll get back to you.
But basically, attackers have developed rather sophisticated techniques that can bypass CSP protections, such as using trusted domains or exploiting browser bugs. CSP is less effective in stopping data exfiltration, especially when attackers use legitimate channels for data transmission.
I'll give you a reference soon.
This is from one of the CSP standard body members:
"It's true that CSP isn't suited to prevent data exfil. E.g. it's trivial to use navigation to extract data and there's nothing you can do with CSP to prevent this.
Once the attacker has script execution it's game over. So the primary goal is to prevent that from happening.
I'm not sure if there's an official w3c stance on it, but indirectly this position is confirmed by consensus of deprecating the navigate-to CSP directive.
iirc we also had a slide on this in our 2019 locomocosec talk"
@jmanico, having read back through the comments above and especially @ryarmst's comment I think that it is a little unrealistic for a strict nonce/hash based policy for L2 and an allow list based policy might be more difficult than it is worth.
It makes me thing that the L2 requirement should be non-prescriptive on how it is achieved and the L3 requirement should specify nonce/hash based policy.
For the specific wording, I think it will depend on the discussions in #1958.
It makes me think that the L2 requirement should be non-prescriptive on how it is achieved and the L3 requirement should specify nonce/hash based policy.
I like this approach. 👍🏼
I suggest we have a CSP requirement that moves folks away from allow-lists to a nonce or hash strict-dynamic policy (CSP3 stuff) which is much easier to deploy and more secure.