Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider not exposing nonce="" to the page #65

Closed
annevk opened this issue Apr 5, 2016 · 5 comments
Closed

Consider not exposing nonce="" to the page #65

annevk opened this issue Apr 5, 2016 · 5 comments
Milestone
CSP3 CR

Comments

@annevk
Copy link
Member

annevk commented Apr 5, 2016

That makes it harder for an attacker to exfiltrate (hoping I got my terminology right). Just to be clear, I realize the complexity might not be worth it, hence "consider".
@intchloe intchloe mentioned this issue Aug 1, 2016
Closed
@arturjanc
Copy link

arturjanc commented Aug 5, 2016
edited
Loading

Anne, do you mean the DOM not exposing the nonce attribute on a script element with a nonce?

IIUC this approach won't solve the nonce-stealing problem because the main attack we are aware of is "dangling markup injection" where the attacker tricks the HTML parser into applying a nonce from a trusted script to a <script> injected by an attacker:
http://blog.innerht.ml/csp-2015/#danglingmarkupinjection
http://lcamtuf.coredump.cx/postxss/ (Section 2.1)

If an attacker already has the capability to execute JS and can inspect scriptElement.nonce then it's game over -- there is nothing CSP can do to save the application. (BTW, apologies in advance if I misunderstood your proposal)

@annevk
Copy link
Member Author

annevk commented Aug 5, 2016

You understood and you’re correct I think that it does not really help, was just wondering about defense-in-depth and making it harder for an attacker if they got access to do a couple of things, but not all.

@arturjanc
Copy link

arturjanc commented Aug 6, 2016
edited
Loading

After replying I realized that this would cause problems for a bunch of JS libraries which want to be compatible with CSP and propagate nonces to scripts they load dynamically:

s = document.createElement('script');
s.nonce = document.querySelector('script[nonce]').getAttribute('nonce');
s.src = "...";
document.body.appendChild(s);

These scripts currently need to be able to grab the nonce from an existing script to make this happen. It could of course be refactored by including the nonce in another attribute, or in a JS variable, but it would require every page that uses such libraries to do this, which is less general and more painful.

Overall there definitely is value in protecting nonces (e.g. with #98 or something similar), but only to the extent that is prevents the attacker from executing scripts in the first place. If we assume the attacker can already execute JS then the application is entirely compromised so any restrictions won't really help.

@annevk annevk mentioned this issue Feb 17, 2017
Closed
@mikewest mikewest modified the milestone: CSP3 CR May 10, 2017
@andypaicu
Copy link
Collaborator

I believe this has been addressed since in whatwg/html#2369 and mentioned in CSP3 https://w3c.github.io/webappsec-csp/#security-nonce-stealing so I will close this issue.

@mikewest
Copy link
Member

mikewest commented Jan 8, 2018

Yeah, this is done, thanks!

@sebastiaandegeus sebastiaandegeus mentioned this issue Feb 3, 2020
Closed
@shaialon shaialon mentioned this issue Jan 21, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
CSP3 CR
Development

No branches or pull requests
4 participants
@mikewest @arturjanc @annevk @andypaicu