Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Figure out if we need 'trusted-script' in script-src #221

Closed
koto opened this issue Sep 19, 2019 · 9 comments
Closed

Figure out if we need 'trusted-script' in script-src #221

koto opened this issue Sep 19, 2019 · 9 comments

Comments

@koto
Copy link
Member

koto commented Sep 19, 2019

trusted-script keyword is used now for javascript: navigations and eval guarding. Since we've integrated with CSP logic, perhaps the keyword is now superfluous?

If a website uses eval or javacsript: and it uses script-src, it needs to set appropriate unsafe-* keywords anyhow, for browsers with no trusted-types support.

We are close to having working downgrades. See #218 for a working downgrade-to-string for eval; for javascript: navigation, the default policy will simply not be created, and therefore called.

It seems like a combination of script-src ... 'unsafe-inline' 'unsafe-eval'; trusted-types ... correctly limits the unsafe behavior to Trusted Types, with a working downgrade to string for non-supporting browsers. IOW, trusted-types directive adds additional restrictions independent of script-src, which seems to be not violating CSP principles, and is conceptually simpler.

cc @mikesamuel @mikewest

@koto
Copy link
Member Author

koto commented Oct 18, 2019

/cc @mikewest , Do you have an opinion here? Essentially, it all boils down to whether trusted-types directive (and a JS code conforming to it) should be able to bypass existing restrictions in script-src, or would we require a new keyword in script-src as well.

@koto
Copy link
Member Author

koto commented Nov 6, 2019

Pingy ping @mikewest

@mikewest
Copy link
Member

I think you're right that script-src 'trusted-script' ...; trusted-types name is less backwards-compatible than script-src 'unsafe-eval' ...; trusted-types name. I think I'm comfortable treating trusted-types name as an attenuation of 'unsafe-eval' without a separate keyword.

koto added a commit to koto/trusted-types that referenced this issue Nov 15, 2019
eval(TrustedScript) requires 'unsafe-eval' in script-src.
Navigation to javascript: URLs that were passed to CSP requires
'unsafe-inline'.
@koto koto closed this as completed in 3b6d4fe Nov 15, 2019
@lukewarlow lukewarlow reopened this Feb 21, 2024
@lukewarlow
Copy link
Member

lukewarlow commented Feb 21, 2024

I'm reopening this issue to restart this conversation. I think something that's been missed in previous considerations is that some use cases might care more about security than compatability.

think you're right that script-src 'trusted-script' ...; trusted-types name is less backwards-compatible than script-src 'unsafe-eval' ...; trusted-types name

This lack of backwards compatability is a desired characterstic. Currently to use eval in TT envs you have to add a keyword that means browsers without TT allow you full unmitigated eval. Which is not always desirable.

If we added a new trusted-script (or trusted-eval or some other name) keyword then that would allow you access to eval where supported and degrade to smaller feature set where it's not provided.

@caridy
Copy link

caridy commented Feb 21, 2024

@lukewarlow thanks for reopening this. we certainly need this resolved to be able to move forward with the regulations in Europe.

cc @gregwhitworth

@lukewarlow
Copy link
Member

As part of #464 - we get the raw arguments to eval and new Function() so we can ensure they are trusted types which would make this easier

@annevk
Copy link
Member

annevk commented Mar 13, 2024

A worry I have here is that with Trusted Types the definition of trust lies with the website. And while I suppose a website could always bypass its own policies (e.g., to bypass unsafe-eval you could have a <script src> proxy of sorts I think) this seems easier with Trusted Types (have a no-op policy).

In particular because regulation around security policies might encourage perverse incentives.

@caridy
Copy link

caridy commented Mar 13, 2024

@annevk I think the main incentive here is to prevent evaluation in browsers without TT, as this constitutes a security problem today with no way to mitigate it without introducing UA sniffing.

@lukewarlow
Copy link
Member

Closing this to focus discussions in w3c/webappsec-csp#665

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants