Crowd Source Content-Security-Policy c0nrad 8/26/2015

This post covers an idea for a chrome extension where CSP policies are distributed and enforced by a chrome extension, and generating via crowd sourcing.

Adoption of Content-Security-Policy has been slow. It's a great header for defending against content injection attacks. But servers have been slow to adopt it.

What if we took CSP into our own hands? Chrome extensions are able to intercept requests and modify the headers. So for each domain we care about, we determine a good CSP policy, and automatically inject it in the response.

So first, two things. How do we generate good CSP policies, and is that even possible? For the first question, "how do we generate good CSP policies?", this is where crowd sourcing comes in. Once you understand CSP, it's not too hard to build the policies. So people who care about their security and know CSP can use the chrome extension to submit CSP policies. There would have to be some sort of vetting/ranking system, but I think that's feasible.

Next, is it possible to generate good CSP policies for websites without server interaction? What about inline javascript? inline onclick handlers? evals? For the inline script tags, as long as they aren't modified often we can calculate SHA256 values and use them as script-src values. Correct me if I'm wrong, except for maybe nonces, I don't think there’s anyway to whitelist inline handlers (onclick and such). If the website uses evals we can allow-eval.

For a lot of websites it'll probably be impossible to generate good CSP policies. The only thing I can think of is maybe injecting a serviceWorker and listening to the fetch event and manually modifying and adding nonces to known places. But that's a super nasty solution.

Some hurdles need to be figured out, but it has some neat upsides.

First off, any website that wants to start using CSP can just grab the CSP policy being used by the chrome extension. I think adoption of CSP will increase if someone has already started the work for them.

We could also include our own report-uri, and monitor all active attacks on these websites. Giving an open and fun little threat feed.

And lastly of course, we can now patch content injection vulnerabilities on websites almost instantly without waiting for a server to push an updated version.

Just some ideas, if you have any insight, please let me know!

c0nrad

Hacker News Post