SummerOfCode/2012/UserCSP/Wiki: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
m (cleanup link markup)
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
<p><b>Title:</b>  User Specified Content Security Policy
<b>Title:</b>  User Specified Content Security Policy <br/>
</p><p><b>A. Goal:</b>  The goal of this project is to allow savvy users to be able to voluntarily specify their own Content Security Policy (CSP) for websites that may not have implemented CSP.
<font color="red"><b>Developer: </b></font> Kailas Patil < patilkr24  AT  gmail  DOT  com >
</p><p><b>B. Overview: </b>
</p><p>We developed an add-on called "userCSP" that hooks into Firefox's CSP implementation to allow a user to specify a policy for a web page. Not only does it allow a user to specify policy for a website, it also allows user to calculate the strictest policy or loosest policy from the policy specified by the add-on user and the policy specified by the website.
</p><p>The add­on provides a GUI tool for the user that includes the twelve Firefox CSP directives, each listed in separate tabs (ex: default-src, img­src, script­src, frame­src, report-uri, etc). The user uses this tool to specify CSP policies for websites. When the response of a web page is received by the browser, the add­on will check whether the user has specified CSP policy for it. If so, it will apply the user's policy the same way it would have specified a policy set by the website.
</p><p><br />
<b>C. Functionality and How it works:</b><br />
1. Domain name selection list:


The userCSP add-on UI contains drop-down list for domain selection. The domain selection list contains the website names that are open by user in the browser. In addition to this, it also contains an entry "* (Every Website)". The "* (Every Website)" option is used to allow users to specify general rules for all websites the users visits that does not have a website or user CSP policy set. If a user has set a policy for website and also set a policy for "* (Every Website)" then user policy set for website takes precedence over the "* (Every Website)".
=Goal= 
The goal of this project is to allow developers savvy users to be able to voluntarily specify their own Content Security Policy (CSP) for websites that may not have implemented CSP.
 
=Overview=
We developed an add-on called "userCSP" that hooks into Firefox's CSP implementation to allow a user to specify a policy for a web page. Not only does it allow a user to specify policy for a website, it also allows user to calculate the strictest policy or loosest policy from the policy specified by the add-on user and the policy specified by the website.
 
<p>The add­-on provides a GUI tool for the user that includes the twelve Firefox CSP directives, each listed in separate tabs (ex: default-src, img­src, script­src, frame­src, report-uri, etc). The user uses this tool to specify CSP policies for websites. When the response of a web page is received by the browser, the add­-on will check whether the user has specified CSP policy for the page. If so, it will apply the user's policy, the same way it would have applied a policy set by the website.
</p>
</p>
<p>2. Tabs in the UI: <br />
=Functionality and How it works=
For each domain there are total 12 tabs shown in the UI to the user:
<b>1. Domain name selection list</b>
<pre>All, default-src, script-src, object-src, image-src, media-src, style-src, frame-src, font-src, xhr-src,
 
frame-ancestors, report-uri.</pre>
The userCSP add-on UI contains drop-down list for domain selection.  The domain selection list contains the websites that the user has opened in the browser. In addition to this, it also contains an entry "* (Every Website)". The "* (Every Website)" option is used to allow users to specify general rules for all websites the users visits that do not have a website or user CSP policy set. If a user has set a policy for website and also set a policy for "* (Every Website)", then the user policy set for the website takes precedence over the "* (Every Website)". If a website has set a CSP policy in their header and the user has set a policy for "* (Every Website)", then the policy set by the website takes precedence over the "* (Every Website)"
</p>
</p>
Except for the "All" and “Infer Policy” tab, the other tabs are CSP directives used in Firefox. They are used to allow a user to specify a CSP rule for that CSP directive. Each directive tab contains the following:
<p><b>2. Tabs in the UI</b><br />
** A "website rule" list used to display website specified rules for the selected directive.     
For each domain there are total 14 tabs shown in the UI to the user:
** A text input field is used to allow users to write a rule for the selected directive.
<pre>All, Infer-CSP, default-src, script-src, object-src, image-src, media-src, style-src, frame-src, font-src, xhr-src,
** An "Add" button is used to add the rule written by user in the text input field into "user rule" list if the rule complies with the W3C standard.  
frame-ancestors, report-uri, Help.</pre>
** A "user rule" list used to show the user written rules for the directive.  
</p>
** A "Save User Rules" button used to save user written for the selected domain and the selected directive tab.  
Except for the "All", “Infer Policy”, and "Help" tab, the other tabs are CSP directives used in Firefox. They are used to allow a user to specify a CSP rule for that CSP directive. Each directive tab contains the following:
* A "website rule" list used to display website specified rules for the selected directive.     
* A text input field is used to allow users to write a rule for the selected directive.
* An "Add" button is used to add a rule the user has typed in the text input field into "user rule" list (after checking that the rule complies with the W3C standard.  
* A "user rule" list used to show the user written rules for the directive.  
* A "Save User Rules" button used to save user specified rules for the selected domain and the selected directive tab.  


<br />
The "All" tab is used to display the complete website defined CSP policy, as well as complete user defined CSP policy. It also allows users to calculate the Strictest Policy and Loosest Policy from the user defined CSP and the website defined CSP. Moreover, it also allows user to select a policy for a website from the four possible values - Website CSP rules, User CSP rules, Combine Strict Rules or Combine Loose Rules. By-default website CSP rules are selected.  
The "All" tab is used to display the complete website defined CSP policy, as well as complete user defined CSP policy. It also allows users to calculate the Strictest Policy and Loosest Policy from the user defined CSP and the website defined CSP. Moreover, it also allows user to select a rule for website from the four possible values - Website CSP rules, User CSP rules, Combine Strict Rules or Combine Loose Rules. By-default website CSP rules are selected.  


In addition to this, when the User CSP rules are selected, the "All" tab also allows users to enable or disable inline scripts and inline evals.  
In addition to this, when the User CSP rules are selected, the "All" tab also allows users to enable or disable inline scripts and inline evals.  
<br /> <br />
<br /> <br />
3. Combine Strict CSP
<b>3. Combine Strict CSP</b>


If both website and user defined CSP rules for a website are available then this feature allow users to apply the strictest subset of CSP policy calculated from the website defined CSP and the user defined CSP.  For example, when you strictly combine img-src 'self' set by the website and img-src "*" set by the user, img-src 'self' is set.
If both website and user defined CSP rules for a website are available then this feature allow users to apply the strictest subset CSP policy which is calculated from the website defined CSP and the user defined CSP.  For example, when you strictly combine website specified policy img-src 'self' with user specified policy img-src "*", the combined policy img-src 'self' is set.
<br />
<br />


4. Combine Loose CSP
<b>4. Combine Loose CSP</b>


If both website and user defined CSP rules for a website are available then this feature allow users to apply the loosest subset of CSP policy calculated from the website defined CSP and the user defined CSP. For example, when you loosely combine img-src 'self' set by the website and img-src "*" set by the user, img-src "*" is set.  
If both website and user defined CSP rules for a website are available then this feature allow users to apply the loosest subset CSP policy which is calculated from the website defined CSP and the user defined CSP. For example, when you loosely combine website specified policy img-src 'self' with user specified policy img-src "*", the combined policy img-src "*" is set.  


<br />
= Why it is useful?=
<b>D. Why it is useful?</b>


According to OWASP top vulnerability list, cross-site scripting (XSS) is among the top five web application vulnerabilities. It allows attackers to inject malicious code or resources from attacker domains into the document of the vulnerable web page. Browsers are not able to distinguish which content is legitimate and which content is malicious. Therefore, Content Security Policy is used to enable the browser to identify potentially malicious injected content in a web page.
According to OWASP top vulnerability list, cross-site scripting (XSS) is among the top five web application vulnerabilities. It allows attackers to inject malicious code or resources from attacker domains into the document of the vulnerable web page. Browsers are not able to distinguish which content is legitimate and which content is malicious. Therefore, Content Security Policy is used to enable the browser to identify potentially malicious injected content in a web page.


By-default CSP doesn't allow inline scripts and eval, which are used by almost all website. Therefore to use CSP policy, websites requires to change their code. The requirement of this change is hindering the adaptation of CSP by web applications (websites). However, there are savvy users who prefer security over usability. In addition, web sites developers need a tool to test different CSP rules for their website to secure their users and achieve usability. The "userCSP" add-on we developed addresses these issues.
By-default CSP doesn't allow inline scripts and eval, which are used by almost all websites. Therefore to use CSP, websites are required to change their code (or allow these and hence remain open to some potential attacks). The requirement of this change is hindering the adaptation of CSP by web applications (websites). However, there are savvy users who prefer security over usability. In addition, web sites developers need a tool to test different CSP rules for their own websites to secure their users and achieve usability. The "userCSP" add-on we developed addresses these issues.
 
The "userCSP" add-on allows savvy users to specify CSP to particular websites or to specify general CSP rules that are enforced on each and every website a user visits. Moreover, it allows website developers to try different CSP rules to adapt the best suited CSP policy for their website.


The "userCSP" add-on allows savvy users to specify CSP to particular websites or to specify general CSP rules that is enforced on each and every website a user visits. Moreover, it allows website developers to try different CSP rules to adapt the best suited CSP policy for their website.
<br />


<b>E. Technical details:</b>
=Technical details:=


1. Database
<b>1. Database</b>


The "userCSP" add-on used sqlite database to store user defined CSP rules for a website.
The "userCSP" add-on used sqlite database to store user defined CSP rules for a website.
<br />
<br />


2. Event Interception
<b>2. Event Interception</b>


This add-on is developed using the Jetpack SDK. We intercepted various events like the &quot;READY&quot;, &quot;ACTIVATE&quot;, and &quot;CLOSE&quot; events on tab. The ready event is used to retrieve a list of open websites in a user's Firefox web browser. The activate event is used to select the currently active domain in the web browser. The close event is used to remove the domain name from the UI if a user closes the tab.
This add-on is developed using the Jetpack SDK. We intercepted various events like the &quot;READY&quot;, &quot;ACTIVATE&quot;, and &quot;CLOSE&quot; events on tab. The READY event is used to retrieve a list of open websites in a user's Firefox web browser. The ACTIVATE event is used to select the currently active domain in the web browser. The CLOSE event is used to remove a domain name from the UI if a user closes it's corresponding tab.


The "http-on-examine-response" observer notification is used to intercept the HTTP response. In the intercepted response, the domain that initiated the request is checked against the database to determine whether user defined rules or "* (Every Website)" CSP rules are available. If there are no rules associated with the website, the response is processed without any change. However, if user defined CSP rule exists, the "X-Content-Security-Policy" header is added to the response with the rules specified by user. It replaces the existing "X-Content-Security-Policy" header if it is already set by website.
The "http-on-examine-response" observer notification is used to intercept the HTTP response. In the intercepted response, the domain that initiated the request is checked against the database to determine whether user defined rules or "* (Every Website)" CSP rules are available. If there are no rules associated with the website, the response is processed without any change. However, if user defined CSP rule exists, the "X-Content-Security-Policy" header is added to the response with the rules specified by user. It replaces the existing "X-Content-Security-Policy" header if it is already set by website.
<br />
<br />


3. Compatibility Issues/ Limitations:
<b>3. Compatibility Issues/ Limitations</b>


The current implementation of userCSP add-on does not completely follow the W3C CSP 1.0 standard, but complies with Firefox's current implementation. Therefore, we used "X-Content-Security-Policy" header, whereas according to W3C CSP 1.0 standard uses the "Content-Security-Policy" header. Firefox is in process to support CSP 1.0 standard.
The current implementation of userCSP add-on does not completely follow the W3C CSP 1.0 standard, but complies with Firefox's current implementation. Therefore, we used "X-Content-Security-Policy" header, whereas according to W3C CSP 1.0 standard uses the "Content-Security-Policy" header. Firefox is in process to support CSP 1.0 standard.


Another limitation of Firefox's current implementation and hence this add-on is the use of the "Options" CSP directive to allow or disallow inline scripts and inline evals. Whereas in CSP 1.0, inline javascript and evals are set in "script-src" directiv and inline css is set in the “style-src” directive.
Another limitation of Firefox's current implementation and hence this add-on is the use of the "Options" CSP directive to allow or disallow inline scripts and inline evals. Whereas in CSP 1.0, inline javascript and evals are set in "script-src" directive and inline css is set in the “style-src” directive.


<b>F. Source code</b><br />
=Source code (Open-Source)=
[https://github.com/patilkr/userCSP userCSP Source Code on GitHub]
[https://github.com/patilkr/userCSP userCSP Source Code on GitHub]
=Mozilla Add-on Gallery=
[https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/  Install add-on from Mozilla Add-on Gallery]

Latest revision as of 22:56, 18 September 2012

Title: User Specified Content Security Policy
Developer: Kailas Patil < patilkr24 AT gmail DOT com >

Goal

The goal of this project is to allow developers savvy users to be able to voluntarily specify their own Content Security Policy (CSP) for websites that may not have implemented CSP.

Overview

We developed an add-on called "userCSP" that hooks into Firefox's CSP implementation to allow a user to specify a policy for a web page. Not only does it allow a user to specify policy for a website, it also allows user to calculate the strictest policy or loosest policy from the policy specified by the add-on user and the policy specified by the website.

The add­-on provides a GUI tool for the user that includes the twelve Firefox CSP directives, each listed in separate tabs (ex: default-src, img­src, script­src, frame­src, report-uri, etc). The user uses this tool to specify CSP policies for websites. When the response of a web page is received by the browser, the add­-on will check whether the user has specified CSP policy for the page. If so, it will apply the user's policy, the same way it would have applied a policy set by the website.

Functionality and How it works

1. Domain name selection list

The userCSP add-on UI contains drop-down list for domain selection. The domain selection list contains the websites that the user has opened in the browser. In addition to this, it also contains an entry "* (Every Website)". The "* (Every Website)" option is used to allow users to specify general rules for all websites the users visits that do not have a website or user CSP policy set. If a user has set a policy for website and also set a policy for "* (Every Website)", then the user policy set for the website takes precedence over the "* (Every Website)". If a website has set a CSP policy in their header and the user has set a policy for "* (Every Website)", then the policy set by the website takes precedence over the "* (Every Website)"

2. Tabs in the UI
For each domain there are total 14 tabs shown in the UI to the user: 

All, Infer-CSP, default-src, script-src, object-src, image-src, media-src, style-src, frame-src, font-src, xhr-src,
frame-ancestors, report-uri, Help.

Except for the "All", “Infer Policy”, and "Help" tab, the other tabs are CSP directives used in Firefox. They are used to allow a user to specify a CSP rule for that CSP directive. Each directive tab contains the following:

  • A "website rule" list used to display website specified rules for the selected directive.
  • A text input field is used to allow users to write a rule for the selected directive.
  • An "Add" button is used to add a rule the user has typed in the text input field into "user rule" list (after checking that the rule complies with the W3C standard.
  • A "user rule" list used to show the user written rules for the directive.
  • A "Save User Rules" button used to save user specified rules for the selected domain and the selected directive tab.

The "All" tab is used to display the complete website defined CSP policy, as well as complete user defined CSP policy. It also allows users to calculate the Strictest Policy and Loosest Policy from the user defined CSP and the website defined CSP. Moreover, it also allows user to select a policy for a website from the four possible values - Website CSP rules, User CSP rules, Combine Strict Rules or Combine Loose Rules. By-default website CSP rules are selected.

In addition to this, when the User CSP rules are selected, the "All" tab also allows users to enable or disable inline scripts and inline evals.

3. Combine Strict CSP

If both website and user defined CSP rules for a website are available then this feature allow users to apply the strictest subset CSP policy which is calculated from the website defined CSP and the user defined CSP. For example, when you strictly combine website specified policy img-src 'self' with user specified policy img-src "*", the combined policy img-src 'self' is set.

4. Combine Loose CSP

If both website and user defined CSP rules for a website are available then this feature allow users to apply the loosest subset CSP policy which is calculated from the website defined CSP and the user defined CSP. For example, when you loosely combine website specified policy img-src 'self' with user specified policy img-src "*", the combined policy img-src "*" is set.

Why it is useful?

According to OWASP top vulnerability list, cross-site scripting (XSS) is among the top five web application vulnerabilities. It allows attackers to inject malicious code or resources from attacker domains into the document of the vulnerable web page. Browsers are not able to distinguish which content is legitimate and which content is malicious. Therefore, Content Security Policy is used to enable the browser to identify potentially malicious injected content in a web page.

By-default CSP doesn't allow inline scripts and eval, which are used by almost all websites. Therefore to use CSP, websites are required to change their code (or allow these and hence remain open to some potential attacks). The requirement of this change is hindering the adaptation of CSP by web applications (websites). However, there are savvy users who prefer security over usability. In addition, web sites developers need a tool to test different CSP rules for their own websites to secure their users and achieve usability. The "userCSP" add-on we developed addresses these issues.

The "userCSP" add-on allows savvy users to specify CSP to particular websites or to specify general CSP rules that are enforced on each and every website a user visits. Moreover, it allows website developers to try different CSP rules to adapt the best suited CSP policy for their website.


Technical details:

1. Database

The "userCSP" add-on used sqlite database to store user defined CSP rules for a website.

2. Event Interception

This add-on is developed using the Jetpack SDK. We intercepted various events like the "READY", "ACTIVATE", and "CLOSE" events on tab. The READY event is used to retrieve a list of open websites in a user's Firefox web browser. The ACTIVATE event is used to select the currently active domain in the web browser. The CLOSE event is used to remove a domain name from the UI if a user closes it's corresponding tab.

The "http-on-examine-response" observer notification is used to intercept the HTTP response. In the intercepted response, the domain that initiated the request is checked against the database to determine whether user defined rules or "* (Every Website)" CSP rules are available. If there are no rules associated with the website, the response is processed without any change. However, if user defined CSP rule exists, the "X-Content-Security-Policy" header is added to the response with the rules specified by user. It replaces the existing "X-Content-Security-Policy" header if it is already set by website.

3. Compatibility Issues/ Limitations

The current implementation of userCSP add-on does not completely follow the W3C CSP 1.0 standard, but complies with Firefox's current implementation. Therefore, we used "X-Content-Security-Policy" header, whereas according to W3C CSP 1.0 standard uses the "Content-Security-Policy" header. Firefox is in process to support CSP 1.0 standard.

Another limitation of Firefox's current implementation and hence this add-on is the use of the "Options" CSP directive to allow or disallow inline scripts and inline evals. Whereas in CSP 1.0, inline javascript and evals are set in "script-src" directive and inline css is set in the “style-src” directive.

Source code (Open-Source)

userCSP Source Code on GitHub

Mozilla Add-on Gallery

Install add-on from Mozilla Add-on Gallery

Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2012/UserCSP/Wiki&oldid=471675"