
On the Insecurity of Whitelists and the Future of Content Security Policy - mmastrac
https://research.google.com/pubs/pub45542.html
======
niftich
I just read the paper. Good data, great analysis; there will be lessons
learned from this. Some quick thoughts:

\- Header fatigue. For many people, CSP is 'yet another damn header' [1][2][3]
we have to add to our websites. Although it's supposed to require careful
thought and be tailored to the need of the particular resource being loaded,
the typical programming model of the web separates payloads from headers, and
therefore _proper_ use of CSP needs a hook in your HTTP-server that calculates
the correct header based off of a bunch of rules you set ahead of time and the
URL (and maybe payload) of the resource. This integration typically isn't
nicely present in HTTP-servers or web frameworks, so people hardcode headers
and move on. (Maybe try a meta http-equiv instead??)

\- The nonce approach proposed for CSP is essentially CSRF tokens all over
again. I get _why_ it works, but it's ridiculous that the server has to quasi-
cryptographically pass tokens around inside the HTML that a third-party
wouldn't have... the weakness of the protocol itself is showing; there has to
be a better way to communicate cross-domain resource trust.

\- Completely unrealistic thought experiment: block ALL cross-domain requests
in a browser. Only allow <a> tags. Everything else has to be hosted on the
same domain and proxied over. The incentives re-align; all the responsibility
and blame will fall squarely on website operators to get their sites right.

[1]
[https://www.owasp.org/index.php/OWASP_Secure_Headers_Project...](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers)

[2] [https://securityheaders.io/](https://securityheaders.io/)

[3] [https://observatory.mozilla.org/](https://observatory.mozilla.org/)

~~~
paulddraper
Option #3.

Really? I can't use a CDN for my images?

~~~
ryanpetrich
The CDN could be on a subdomain.

~~~
paulddraper
Now you just have to ask what privileged relationship makes sense between
kittens.tumblr.com and praise-cthulhu.tumblr.com that doesn't make sense for
the rest of the web.

------
gorhill
Another submission was marked as "dupe" of this one. Since it has comments in
it, I will link to it from here:
[https://news.ycombinator.com/item?id=12472671](https://news.ycombinator.com/item?id=12472671)

