Blink: Intent to Implement and Ship: 'unsafe-hashed-attributes' in CSP3https://groups.google.com/a/chromium.org/d/msg/blink-dev/bUAhkdsrmqE/nimnFDG3BAAJ …
-
-
It would disable a lot of the code-reuse attack vectors.
-
For common EHs like onclick, onload, onmouse* this seems tough b/c the attacker controls the DOM and can dupe the user into causing events.
-
Yes, but it prevents the attacker from reusing an onclick handler in an onload handler.
-
The attacker can add a full-page overlay so any click will trigger the `onclick' EH; it's hard to prevent it, IMO not worth trying.
-
Removing user interaction makes attacks easier. I have more examples, but twitter is not suitable for explaining those.
-
I agree
and would definitely encourage you to comment on the spec (either one of the GitHub issues linked above, or just start a new one!) -
If the intention is to automatically apply this, how can you possible address the warning in the spec 8.3? https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage …
-
Applying this to static pages would bless inline scripts present in those pages; on many sites such content is separate from the main app...
- 4 more replies
New conversation -
-
-
Most importantly, scripts in static pages co-hosted with sensitive content generally don't integrate with the main app and are boring.
-
So if you get script exec that lets you run the contents of any existing event handler, it's fairly limited (no state-changing actions, etc)
-
How do you know that this is used only on static pages?
-
You don't know for sure, developers can always get things wrong for any feature, security or otherwise. Guidance in the spec usually helps.
-
How does backwards compatibility work? If the browser does not support the keyword, wouldn't the page break with such a policy.
-
Yes, it's not backwards compatible and you'd have to do UA sniffing to only deliver this to supporting browsers; seehttps://github.com/w3c/webappsec-csp/issues/147 …
-
Sorry, bad link above (though it's relevant for an earlier part of the discussion so I'm keeping it). This one:https://github.com/w3c/webappsec-csp/pull/247 …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.