Open Bug 1844290 Opened 1 year ago Updated 1 year ago

CSP: Figure out how/if strict-dynamic for inline scripts is specified

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: tschuster, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

While working on bug 1313937 I closed followed the CSP specification for Does element match source list for type and source? which is called by the script-src Inline Check. I can't see where either of those handles 'strict-dynamic', apart from ignoring unsafe-inline in ''Does a source list allow all inline behavior for type".

Our previous code did however apply 'strict-dynamic' for inline scripts, because when calling any of the allows methods from nsCSPContext::GetAllowsInline would end up in nsCSPKeywordSrc::allows, which returns true for any keyword when the current keyword source is strict-dynamic and the script is not-parser-inserted (!aParserCreated) source.

Furthermore without strict-dynamic handling we start failing the tests /content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html and /content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html with:

  • Script injected via appendChild populated via textContent is allowed with strict-dynamic
  • Script injected via appendChild populated via textContent is allowed with strict-dynamic, even if it carries an incorrect nonce.

Inline checks are part of §4.2 Integration with HTML, specifically §4.2.3 https://w3c.github.io/webappsec-csp/#should-block-inline, which calls each directive's inline check.

  • The script-src and script-src-elem inline checks say to do §6.7.3.3
  • that checks for 'unsafe-inline' in §6.7.3.2 but fails if there's also a nonce, hash, or strict-dynamic
  • then §6.7.3.3 calls §6.7.3.1 (is it nonceable?)
  • if it's not nonceable then it checks for hashes
  • that's it... nothing about strict-dynamic, it returns "Does Not Match"

So the failure is in §6.7.3.3 -- it should talk about strict-dynamic
insert a new step 6 that looks like §6.7.1.1 step 1.4 except returns "Matches" if the element is NOT parser-inserted

And after tracking that down, we have rediscovered https://github.com/w3c/webappsec-csp/issues/426#issuecomment-601694362 :facepalm:

Comment on #426 Does strict-dynamic allow dynamically adding inline scripts?
The intent is, as @arturjanc suggests, to allow this snippet to cause script execution. I'm pretty sure we've locked that in with tests (and implementations), but I can totally believe I screwed up the specification. I expect I intended to add something like step 1.4 of https://w3c.github.io/webappsec-csp/#script-pre-request to the https://w3c.github.io/webappsec-csp/#match-element-to-source-list algorithm. You're correct that the spec, as written, doesn't do what I expect it to do.

Does that make this bug "done"? or does it morph into "update the spec to say what everyone wants it to say"?

Severity: -- → N/A
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.