search

WICG / csp-next

A Modest Content Security Proposal
https://wicg.github.io/csp-next/scripting-policy.html
Other
39 stars 3 forks source link

Nonces for <base> #4

Open arturjanc opened 4 years ago

arturjanc commented 4 years ago

Currently, section §2.6.4 allows same-origin base URIs, but bans cross-origin ones. This could be problematic in the case of the server redirecting parts of its URL space to cross-site endpoints (e.g. /foo/site.example/bar would redirect to site.example/bar).

I wonder if we could control <base> similarly to how <scripts> are controlled (i.e. with a nonce attribute), or potentially have special behavior for <base> only when applied to scripts.

mikewest commented 4 years ago

This wouldn't be terribly difficult to do. We'd need to adjust https://html.spec.whatwg.org/#set-the-frozen-base-url to send the nonce value as well as the URL when checking the policy, which doesn't seem like a ton of work.

That said, it would be helpful to know if this is a practical problem or a theoretical improvement. I'd kinda like to minimize the divergence from CSP's existing behavior when possible, and limit those divergences to cases in which we know that there's real value to changing something in some subtle way. Would Google ship <base nonce="whatever">? Or would we just add some complexity to the platform with no concrete use case in mind?

arturjanc commented 4 years ago

We'd ship it, in part because it's very easy to modify an HTML template system to start adding nonce attributes to <base>, and because some of our applications have path-based open redirectors.

It's not the most urgent or important feature, but it would let us get rid of the only remaining allowlist-y part of our strict CSPs (assuming plugins go the way of the dodo or that we can set object-src 'none', which we do).

mikewest commented 4 years ago

@annevk: Is the adjustment to the integration of CSP and <base> suggested in my comment above something you'd accept in HTML?

/cc @hiroshige-g as a follow-up to your internal thread.

annevk commented 4 years ago

So this would be a new feature to CSP as it exists today? I'm surprised base is still in use, but seems reasonable on the face of it.

mikewest commented 4 years ago

Yes. We'd layer this into CSP as a feature of base-uri, which would clear the way for the single nonce expressed in https://mikewest.github.io/csp-next/scripting-policy.html to have the same effect in the future if we end up going that route. I think that would help us refine Scripting Policy's threat model, and make its restriction on <base> feel less capricious.