Upload
francois-marier
View
133
Download
2
Embed Size (px)
Citation preview
<script src=”https://ajax. googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js” integrity=”type:text/javascript sha512-AODL7idgffQeNsYdTzut09nz9AINcjhj4jHD72HcLirsidbC8tz+dof7gceOCQD8WskeuRFfJ9CsgZTHlMiOYg==”></script>
Integrity protection for3rd-party JavaScript
François Marier @fmarier mozilla
FirefoxSecurity & Privacy
Web Platform
Web Platform
Content Security Policyaka CSP
Content Security Policyaka CSP
mechanism for preventing XSS
telling the browser what externalcontent is allowed to load
what does CSP look like?
$ curl --head https://mega.nzHTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 1989Content-Security-Policy:default-src 'self' *.mega.co.nz
*.mega.nz http://*.mega.co.nzhttp://*.mega.nz;
script-src 'self' mega.co.nz mega.nzdata: blob:;
style-src 'self' 'unsafe-inline'*.mega.co.nz *.mega.nz data: blob:;
frame-src 'self' mega:;img-src 'self' *.mega.co.nz *.mega.nz
data: blob:
Hi you<script>alert('p0wned');</script>!
Tweet!
What's on your mind?
(of course, in a real web application,this would never be a problem)
(the JS would be filtered outduring input sanitisation)
without CSP
Hi you!Freedom Fighter @whaledumper - just moments ago
p0wned
Ok
with CSP
Hi you!Freedom Fighter @whaledumper - just moments ago
Content-Security-Policy:
script-src 'self'
https://cdn.example.com
inline scripts are blocked unlessunsafe-inline is specified
directives:script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcmarquee-srcfont-src
connect-src
directives:script-srcobject-srcstyle-srcimg-srcmedia-srcframe-srcmarquee-srcfont-src
connect-src
$ curl --head https://twitter.comHTTP/1.1 200 OKcontent-length: 58347content-security-policy: …report-uri https://twitter.com/csp_report
violation reports:
"csp-report": { "document-uri":
"http://example.org/page.html", "referrer":
"http://evil.example.com/haxor.html", "blocked-uri":
"http://evil.example.com/image.png", "violated-directive":
"default-src 'self'", "effective-directive":
"img-src", "original-policy":
"default-src 'self';report-uri http://example.org/..."
}
new directives
form-action
plugin-types
support for inline scripts
Content-Security-Policy:
script-src 'sha256-YWIzOW...'
https://connect.microsoft.com/IE/feedback/details/793746/ie11-feature-request-support-for-the-content-security-policy-header
HTTP StrictTransport Security
aka HSTS
HTTP StrictTransport Security
aka HSTS
mechanism for preventingHTTPS to HTTP downgrades
telling the browser that your siteshould never be reached over HTTP
GET asb.co.nz 301→
GET https://asb.co.nz 200→
no HSTS, no sslstrip
GET asb.co.nz → 200
no HSTS, with sslstrip
what does HSTS look like?
$ curl -i https://login.xero.comHTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Strict-Transport-Security: max-age=31536000X-Frame-Options: SAMEORIGIN
with HSTS, with sslstrip
GET https://asb.co.nz 200→
silent client-side redirectsHTTP → HTTPS
no HTTP traffic forsslstrip to tamper with
except for the veryfirst connection
https://hstspreload.appspot.com/
pop quiz!
how many .nz sites areon the preload list?
$ grep \\.nz force-https.json
{ "name": "mega.co.nz" },
{ "name": "api.mega.co.nz" },
http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx
wanna know more?
https://speakerdeck.com/fmarier/defeating-cross-site-scripting-with-content-security-policy-updated
2015?
no need to addany extra headers
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
how common is this?
what would happen if thatserver were compromised?
Bad Things™steal sessionsleak confidential dataredirect to phishing sitesenlist DDoS zombies
simple solution
<scriptsrc=”https://ajax.googleapis.com...”>
instead of this:
<scriptsrc=”https://ajax.googleapis.com...”
integrity=”sha256-1z4uG/+cVbhShP...”>
do this:
You owe me $10.00.
f4243c12541be6f79c73e539c426e07af2f6c4ef8794894f4903aee54542586d
You owe me $1000.
1ebd7a8d15a6dab743f0c4d147f731bcfc6b74752afe43afa5389ba8830a2215
guarantee:script won't changeor it'll be blocked
limitation:won't work for scriptsthat change all the time
3 types of scripts
dynamically-generated script:
not a good fit for SRI
https://ajax.googleapis.com
/ajax/libs/jquery/1.8.0/
jquery.min.js
immutable scripts:
perfect for SRI
what about your own scripts?
(they change, but you'rethe one changing them)
scripts under your control:
good fit for SRI
can usually add the hashing toyour static resource pipeline
#!/bin/sh
cat src/*.js > bundle.js
HASH=`sha256sum bundle.js |cut -f1 -d' '`
mv bundle.js public/bundle-${HASH}.js
public/bundle-c2498bc358....js
Cache-Control: max-age=∞
<script src=”widgets.js”><script src=”app.js”><script src=”menu.js”>
<script src=”bundle-c2498bc....js”>
<script src=”bundle-c2498bc....js” integrity=”sha256-c2498bc...”>
what else?
integrity=”
sha256-1z4uG/+cVbhShP...
”
integrity=”
type:application/javascript
sha256-1z4uG/+cVbhShP...
”
integrity=”
type:application/javascript
sha512-AODL7idgffQeNs...
”
integrity=”
type:application/javascript
sha256-1z4uG/+cVbhShP...
sha384-RqG7UC/QK2TVRa...
sha512-AODL7idgffQeNs...
”
<link rel="stylesheet"
href="style.css"
integrity="sha256-PgMdguwx/O...">
stylesheet support
violation reports
Content-Security-Policy:
integrity-policy block
violation reports
Content-Security-Policy:
integrity-policy report;
report-uri https://...
cat file.js
| openssl dgst -sha256 -binary
| openssl enc -base64 -A
SRIhash.org
status?
spec is approaching“last call”
(initial implementations)
© 2015 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 License.
Questions?
feedback:
[email protected]@w3.org
photo credits:
bank notes: https://www.flickr.com/photos/epsos/8463683689
web devs: https://www.flickr.com/photos/mbiddulph/238171366
explosion: https://www.flickr.com/photos/-cavin-/2313239884/