Inline event handlers not whitelisted by hashes?

[kravietz]

Reading through section 7.15 of the latest CSP2 editor's draft it seems like you can't whitelist an inline event handler with its SHA256 hash. Is this intended exclusion?

Just to provide a bit of background, the following script will only result in one pop-up, from the whitelisted alert in the <script> tag:

<!DOCUMENT html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src none; script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='; img-src data:">
</head>
<body>
<img src="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'/>"
onload="alert('Hello, world.');">
<script>alert('Hello, world.');</script>
</body>
</html>

The inline handler alert will not be shown and Chrome will display the following error message:

Refused to execute inline event handler because it violates the following Content Security Policy 
directive: "script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='". 
Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to
enable inline execution.

Which on the other hand suggests that a hash could be used to whitelist it (but this may be just a Chrome catch-all message).

[hillbrad]

I would suggest that the Chrome-specific console text here is a bit
misleading.

Part of the difficulty here is that as a <script> block, one <script> is
roughly the same as another. But as an event handler, context is very
important. It's ok for "deleteAll()" to be attached to the big red button
that only appears after several confirmation steps, but not OK for an
injection to attach it to the "x" in the corner of an app install overlay.
So we would need to think a lot more about how to identify contexts, and
then you end up in a situation of potentially having to calculate running
hashes on much more of the DOM as it is parsed than is currently the case,
with potentially negative performance characteristics.

Maybe nonces are better for this use case, if we do need it?

And I'm not sure we do need it. On the application deployer side, where
the hash/nonce model is about processing/annotating legacy content to make
it CSP-compatible, it seems substantially as easy to "outline" these
handlers as it is to add a hash to them. See, e.g.
https://www.npmjs.com/package/noin

On Tue, Sep 8, 2015 at 8:54 AM Paweł Krawczyk notifications@github.com
wrote:

Reading through section 7.15 of the latest CSP2 editor's draft it seems
like you can't whitelist an inline event handler with its SHA256 hash. Is
this intended exclusion?

Just to provide a bit of background, the following script will only result
in one pop-up, from the whitelisted alert in the <script> tag:

<script>alert('Hello, world.');</script>

The inline handler alert will not be shown and Chrome will display the
following error message:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Which on the other hand suggests that a hash could be used to whitelist
it (but this may be just a Chrome catch-all message).

—
Reply to this email directly or view it on GitHub
#468.

[mikewest]

1. Chrome's error message is bad. I should fix that.
2. I didn't really intend for nonces or hashes to enable inline event handlers. It's something I suppose is worth reconsidering for CSP3, but the behavior for CSP2 (which is shipping in Chrome and Firefox) excludes them. As Brad notes, that's not at all a straightforward discussion.

[kravietz]

Thanks, these are very helpful notes. I have already filed a Chrome bug report about this message, but wanted to confirm here what should be the correct browser's policy.

As for inline event handlers I do see quite a lot of them, especially if you include a Google AdSense code. While perhaps the correct approach should be to rewrite AdSense code not to use inline handlers, right now it is a real problem if you want to enable CSP on real world websites.

[hillbrad]

Do those event handlers have to be inline? Is there a reason the necessary
elements can't be tagged by id or class and the event handlers added
imperatively by a script block?

On Tue, Sep 8, 2015 at 11:41 AM Paweł Krawczyk notifications@github.com
wrote:

Thanks, these are very helpful notes. I have already filed a Chrome bug
report about this message, but wanted to confirm here what should be the
correct browser's policy.

As for inline event handlers I do see quite a lot of them, especially if
you include a Google AdSense code. While perhaps the correct approach
should be to rewrite AdSense code not to use inline handlers, right now it
is a real problem if you want to enable CSP on real world websites.

—
Reply to this email directly or view it on GitHub
#468 (comment).

[kravietz]

I'm sure they don't have to but in case of embedding a third party code such as Google AdSense you don't have much influence on how it's written. A workaround I came up with is to load AdSense code in a IFRAME from an URL that has a separate, more liberal CSP.

[kravietz]

As for identifying context for whitelisting inline handlers I think it would be quite easy thing to do. For example for such handler:

<button id="action1" onclick="doSubmit()">

This might be whitelisted with the following hash expression:

sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY=#action1#click

[mikewest]

This issue was moved to w3c/webappsec-csp#13

[esserj]

you can always add 'unsafe-hashes' to your script-src (or style-src) if you want to allow them.

<!DOCUMENT html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src none; script-src 'unsafe-hashes' 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='; img-src data:">
</head>
<body>
<img src="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'/>"
onload="alert('Hello, world.');">
<script>alert('Hello, world.');</script>
</body>
</html>