DescriptionExperiment with hiding <script>'s 'nonce' content attribute.
Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of some
of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php.
One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).
Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..
This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.
BUG=680419
Review-Url: https://codereview.chromium.org/2628733005
Cr-Commit-Position: refs/heads/master@{#443252}
Committed: https://chromium.googlesource.com/chromium/src/+/d6fffa909e840af681a223f53a2c19dd80942a2d
Patch Set 1 #Patch Set 2 : Rebase. #Patch Set 3 : Tests. #Patch Set 4 : Clear. #Patch Set 5 : Write. #Patch Set 6 : Rebase. #Patch Set 7 : Skip a W3C test. #Patch Set 8 : Ugh. #
Total comments: 1
Messages
Total messages: 37 (30 generated)
|