New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Security Policy (CSP) #1672

Closed
tanx opened this Issue Mar 8, 2014 · 11 comments

Comments

Projects
None yet
5 participants
@tanx

tanx commented Mar 8, 2014

Chrome Packaged Apps have CSP enabled by default to protects users against code injection attacks. In runtimes such as PhoneGap this isn't enabled by default, but developers can set the meta tag in the html document head. Like so:

<meta http-equiv="Content-Security-Policy" content="script-src 'self';">

This blocks inline scripts and other sources and only allows locally loaded scripts. E.g. the following code should not allowed to be executed:

<script type="text/javascript">
  alert('xss');
</script>

Chrome blocks this code while node-webkit doesn't. Is there a reason for this?

The reason I'm asking is that we are porting our PGP mail client (https://whiteout.io) from chrome packaged apps to node-webkit. But this issue is basically a showstopper for us, as it could allow an attacker to get a hold of the user's private key should he be able to inject code somehow.

Thanks

@jamesmortensen

This comment has been minimized.

jamesmortensen commented Mar 8, 2014

I was under the impression that Chrome blocks it because Google was trying to assert its will on other developers to make them code their way. I'm a big fan of good coding practices, but I'm not a fan of having them be forced.

One thing I really like about node-webkit is the flexibility and control it gives me as a developer. If I need to do something a certain way, I can.

In short, I don't have a problem with CSP being enabled by default. I generally don't do things that avoid it being turned off. But the difference between Google Chrome and node-webkit is that in Chrome you as a developer have no power to turn it off.

image

@tanx

This comment has been minimized.

tanx commented Mar 8, 2014

I'm not suggesting that CSP be enforced, just that it is supported at all. Default or not.

As for Google. There are legitimate reasons to enforce CSP when privileged Apis are exposed as most developers understandably choose the path with the least friction, even if they sacrifice security along the way. It is the platform maker's responsibility to protect its users and good design often requires making the hard choice for others. Firefox Packaged Apps do this as well by the way: https://developer.mozilla.org/en-US/Marketplace/Publishing/Packaged_apps#Types_of_packaged_apps

@xekoukou

This comment has been minimized.

xekoukou commented Jun 14, 2014

I concur with @tanx that this issue is a showstopper for application that require maximum security, for example financial services. Is this going to be resolved soon or is there a reason not to?

@tanx

This comment has been minimized.

tanx commented Aug 5, 2014

Any progress on this? I've tested the recent v0.10.1 of node-webkit but CSP is still not possible. Do you guys explicitly deactivate it to get the node apis working or what is the logic behind this?

@rdsubhas

This comment has been minimized.

rdsubhas commented Sep 10, 2014

+1 definitely helps when building node-webkit based apps, and being sure that no XSS will happen when dealing with untrusted content

@tanx

This comment has been minimized.

tanx commented Sep 10, 2014

Joe Marini from the Chrome team confirmed in the JavaScript Jabber Podcast, that Chrome Packaged Apps will soon be deployable without users having Chrome installed, basically packaging the chrome runtime with your app. We will be using this solution instead of node-webkit due to the missing CSP support

@xekoukou

This comment has been minimized.

xekoukou commented Sep 10, 2014

Nice.

2014-09-10 23:50 GMT+03:00 Tankred Hase notifications@github.com:

Joe Marini from the Chrome team confirmed in the JavaScript Jabber
Podcast, that Chrome Packaged Apps will soon be deployable without users
having Chrome installed, basically packaging the chrome runtime with your
app. We will be using this solution instead of node-webkit due to the
missing CSP support


Reply to this email directly or view it on GitHub
#1672 (comment)
.

,

 Apostolis Xekoukoulotakis

@rogerwang rogerwang self-assigned this Sep 11, 2014

@rogerwang

This comment has been minimized.

Member

rogerwang commented Sep 11, 2014

@tanx overlooked this; will fix it soon in the next version.

@rdsubhas

This comment has been minimized.

rdsubhas commented Sep 11, 2014

@rogerwang Thanks! So does this mean all normal frames now automatically have CSP enabled?

GnorTech added a commit to nwjs/blink that referenced this issue Sep 25, 2014

@rogerwang

This comment has been minimized.

Member

rogerwang commented Jan 18, 2015

@rdsubhas yes. Normal frames should work in the same way as in browser.

GnorTech added a commit to nwjs/blink that referenced this issue Jan 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment