annevk
commented
4 years ago cc @mikewest @ckerschb
Open bakkot opened 4 years ago
annevk
commented
4 years ago cc @mikewest @ckerschb
sideshowbarker
commented
4 years ago However, both Chrome and Safari do allow policy lists such as the above. Firefox and the Nu HTML checker do not - Firefox attempts to parse it as a single policy including the
,, while the Nu HTML checker considers it an outright error.
The Nu Html Checker just uses https://github.com/shapesecurity/salvation/ on the backend, as https://cspvalidator.org/ also does. So I reckon @shekyan might also be interested in clarification on this
bakkot
commented
4 years ago Salvation (which I help maintain) actually has APIs for parsing both single policies and lists of policies. The fact that the Nu HTML checker disallows lists means they've chosen to use the API for a single policy, I believe.
sideshowbarker
commented
4 years ago Salvation (which I help maintain) actually has APIs for parsing both single policies and lists of policies.
OK then, if/when the HTML spec is updated to clearly allow lists of policies, I could happily and easily update the HTML checker code to allow lists of policies.
mikewest
commented
4 years ago As you note, Chrome (and presumably WebKit, since the implementation is likely common to both) simply takes whatever's in the <meta> tag and throws it into the same parser that's used for HTTP-delivered policies. Commas in the one have the same effect as commas in the other.
I'm surprised to hear that that comes up in practice, as I don't think there's much value in delivering multiple policies via <meta>, but I also don't have a particular reason to prevent that behavior from happening. It seems reasonable to treat http-equiv somewhat literally: the tag's content is the equivalent of text delivered from headers, and treating it the same seems reasonable.
I suspect I intended to link to "parse a serialized CSP list" when I sent the PR against HTML. That would create the behavior I suggested above.
If y'all agree with the rationale, I'll send that patch and add some tests.
bakkot
commented
4 years ago as I don't think there's much value in delivering multiple policies via
<meta>
There is considerable value in it because there are behaviors which are not expressible as a single policy, only as a list of policies. (The simplest example is two policies with different report-to, but consider also script-src 'nonce-value', script-src example.com, which requires that scripts be from example.com and have the appropriate nonce.)
That might not come up if you're writing a policy manually, but it certainly does if you're trying to automatically manipulate policies. (That's how I ran into it.)
If y'all agree with the rationale, I'll send that patch and add some tests.
SGTM
mikewest
commented
4 years ago There is considerable value in it because there are behaviors which are not expressible as a single policy, only as a list of policies.
I agree that multiple policies are valuable! I'm questioning the value of that mechanism in <meta> specifically. report-to isn't supported at all via <meta>, and putting nonces inline is a great way for them to be stolen and/or abused by script on the page. Hashes are likely safe, but are also not terribly widely-used.
Still, I'd prefer to align on Chrome's behavior. I'll send a PR to that effect.
annevk
commented
4 years ago There's going to be parser input differences at least as one is a byte sequence and the other is a string.
I would also expect combining differences. Ideally for HTTP we combine first and then parse, but I don't think that's workable for http-equiv as we cannot wait for the last one to arrive.
bakkot
commented
4 years ago There's going to be parser input differences at least as one is a byte sequence and the other is a string.
That comes up already; browsers seem to just reject any http-equiv="Content-Security-Policy" whose content cannot be interpreted as ASCII. (I can't quite tell if that's per spec because the spec is unclear about what the specified behavior should be, but it seems reasonable.)
Ideally for HTTP we combine first and then parse, but I don't think that's workable for
http-equivas we cannot wait for the last one to arrive.
There would still be a maximum of one http-equiv="Content-Security-Policy" tag, so I don't think that would be an issue. It's just that the content of such a tag could contain a list of policies rather than just one.
sideshowbarker
commented
4 years ago Not sure what the next step is here…
Still, I'd prefer to align on Chrome's behavior. I'll send a PR to that effect.
@mkwest are you still planning on doing that, or did @annevk‘s comment at https://github.com/whatwg/html/issues/5102#issuecomment-575650010 dissuade you?
The html spec says that the
contentof an<meta http-equiv="Content-Security-Policy" content="...">tag should be aserialized-policyand should be parsed according to Parse a serialized CSP.This implies that it does not allow multiple comma-separated policies, such as
img-src 'none', script-src 'sha256-lLvWePLrgCn07EcwYB0JPy65n3OloEYiWK34Ql9Zdmc='. That would be aserialized-csp-list, parsed according to Parse a serialized CSP list, which nothing I can find actually uses. (Also, that algorithm returns multiple policies, each of which would need to be enforced.)However, both Chrome and Safari do allow policy lists such as the above. Firefox and the Nu HTML checker do not - Firefox attempts to parse it as a single policy including the
,, while the Nu HTML checker considers it an outright error.As far as I can tell, the web platform tests do not cover this case.
Here is a simple page with the above comma-separated CSP, which contains both an image and an inline script with no hash. Its source is below.
Which is the intended behavior?
demo page source
```html