Open arturjanc opened 4 years ago
This wouldn't be terribly difficult to do. We'd need to adjust https://html.spec.whatwg.org/#set-the-frozen-base-url to send the nonce
value as well as the URL when checking the policy, which doesn't seem like a ton of work.
That said, it would be helpful to know if this is a practical problem or a theoretical improvement. I'd kinda like to minimize the divergence from CSP's existing behavior when possible, and limit those divergences to cases in which we know that there's real value to changing something in some subtle way. Would Google ship <base nonce="whatever">
? Or would we just add some complexity to the platform with no concrete use case in mind?
We'd ship it, in part because it's very easy to modify an HTML template system to start adding nonce
attributes to <base>
, and because some of our applications have path-based open redirectors.
It's not the most urgent or important feature, but it would let us get rid of the only remaining allowlist-y part of our strict CSPs (assuming plugins go the way of the dodo or that we can set object-src 'none'
, which we do).
@annevk: Is the adjustment to the integration of CSP and <base>
suggested in my comment above something you'd accept in HTML?
/cc @hiroshige-g as a follow-up to your internal thread.
So this would be a new feature to CSP as it exists today? I'm surprised base
is still in use, but seems reasonable on the face of it.
Yes. We'd layer this into CSP as a feature of base-uri
, which would clear the way for the single nonce expressed in https://mikewest.github.io/csp-next/scripting-policy.html to have the same effect in the future if we end up going that route. I think that would help us refine Scripting Policy's threat model, and make its restriction on <base>
feel less capricious.
Currently, section §2.6.4 allows same-origin base URIs, but bans cross-origin ones. This could be problematic in the case of the server redirecting parts of its URL space to cross-site endpoints (e.g. /foo/site.example/bar would redirect to
site.example/bar
).I wonder if we could control
<base>
similarly to how<scripts>
are controlled (i.e. with anonce
attribute), or potentially have special behavior for<base>
only when applied to scripts.