[Webkit-unassigned] [Bug 184031] CSP: Implement 'strict-dynamic' source expression
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 11 10:01:27 PST 2020
https://bugs.webkit.org/show_bug.cgi?id=184031
lwe at google.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lwe at google.com
--- Comment #3 from lwe at google.com ---
A recent Twitter thread [1] touched upon the value of providing some more evidence of the utility of 'strict-dynamic'. As someone who benefited a lot from having this feature available (it allowed us to roll out secure CSPs across most of Google), I figured I would chime in with some context.
The 'strict-dynamic' keyword enables simpler CSPs for many websites because it allows to propagate trust from already trusted scripts to dynamically created ones. This allows sites with external dependencies or with a large JavaScript codebase to adopt a nonce-based CSP for mitigating XSS without requiring large refactorings [2]. This is especially important as CSPs based on URL allowlists have been proven to be easily bypassable in the general case [3].
Currently 'strict-dynamic' is supported in all major browsers except Safari which forces every application using it to perform user-agent sniffing to detect users on Safari and disable this security protection for these users.
Some other major web applications using 'strict-dynamic' include:
Cloudflare, Atlassian, Square, Uber, Dropbox, Optimizely, Postmates, Bugcrowd, Instapaper, Pinterest, some Microsoft sites (Visual Studio Marketplace, etc.).
Google is setting a 'strict-dynamic' CSP using script nonces on over 80 sensitive domains (e.g. accounts.google.com, mail.google.com, passwords.google.com) which allowed us to mitigate the majority of externally reported XSS vulnerabilities in such applications over the past two years [4].
Based on our conversations with folks who implemented 'strict-dynamic' in Chrome and Firefox, the process was fairly easy; there is also a fairly robust suite of WPTs [5] that can help with this. It would be really great to have 'strict-dynamic' available in Safari, especially since upcoming proposals such as Scripting Policy [6] build on top of this model of deploying CSP.
[1] https://twitter.com/johnwilander/status/1226868430860537857
[2] https://speakerdeck.com/lweichselbaum/o-securing-web-apps-with-modern-platform-features?slide=20
[3] https://storage.googleapis.com/pub-tools-public-publication-data/pdf/45542.pdf
[4] https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation?slide=13
[5] https://github.com/web-platform-tests/wpt/tree/master/content-security-policy/script-src
[6] https://mikewest.github.io/csp-next/scripting-policy.html
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200211/da1a6f94/attachment.htm>
More information about the webkit-unassigned
mailing list