[webkit-dev] Best way to disable JavaScript

Adam Barth abarth at webkit.org
Sun Mar 17 23:38:55 PDT 2013 

On Sun, Mar 17, 2013 at 8:56 PM, Geoffrey Garen <ggaren at apple.com> wrote:
>> Unfortunately, you can't implement CSP that way.
>
> :(
>
> OK, let's consider this a proposal for how the "disable javascript" setting should behave, and leave CSP out of it.
>
>>   Consider the case of
>> two same-origin iframes A and B.  Suppose A has a restrictive CSP
>> policy (say that bans everything) and B doesn't.  If B uses the DOM to
>> insert a script element into A, then CSP should block that script
>> element from executing.  Stripping script tags at parse time won't.
>
> FWIW, I interpreted the phrases "enforcing a directive prevents the protected resource from performing certain actions"

That text is non-normative.  The introductory phrase to that sentence
is "generally speaking."  The normative requirements are more
specific.  :)

> and "Enforcing a CSP policy should not interfere with the operation of user-supplied scripts" as indicating that CSP applied to the resource as loaded from its origin only, and not to other scripts operating on the resulting DOM.

In that sentence, "user-supplied scripts" is intended to refer to
"user scripts" or "content scripts" from the user agent's extension
system.  There isn't a great way to refer to those concepts in specs
because they're not really part of the open web platform.

> What is the CSP-expected behavior if a user-supplied script inserts an attribute event handler, javascript: URL, regular event handler, timer, or <script> element in order to do its work?

There's a SHOULD-level requirement that the user script act as normal.
 That requirement is somewhat aspirational in the sense that no user
agent implements it perfectly.  We've made some improvements in that
resource loads initiated by content scripts correctly bypass the
page's CSP policy, but we have more work to do in order to make inline
event handlers and JavaScript URLs created by content scripts bypass
the page's CSP policy.

> I noticed that the CSP specification was still in draft form. Is it too late to modify this constraint?

Content-Security-Policy 1.0 is a W3C Candidate Recommendation.  The
WebAppSec working group is working on Content-Security-Policy 1.1.  If
you'd like to contribute your feedback on CSP, please join the
WebAppSec working group.  Thus far Apple has not joined the working
group and therefore hasn't been able to contribute to the standard.

> To me, the defense against XSS seems pretty weak if the JavaScript content isn't stripped from the resource.

I'm sure the working group would be interested in your point of view.
However, I'm sorry that I'm unable to take technical feedback outside
the context of the working group due to IPR concerns.

Adam

More information about the webkit-dev mailing list