MozillaWiki

Security/CSP/Specification: Difference between revisions

Page Discussion

Security/CSP/Specification (view source)

Revision as of 23:42, 8 March 2010

918 bytes removed ,  8 March 2010
→‎Code will not be created from strings
Line 321: Line 321:
===Code will not be created from strings===
===Code will not be created from strings===
<font color="#a00">
<font color="#a00">
* Restricted:
* User Agents MUST block:
** eval()
** calls to eval()
** setTimeout called with a String argument, e.g. setTimeout("evil string...", 1000)
** calls to setTimeout using a String argument, e.g. setTimeout("evil string...", 1000)
** setInterval called with a String argument, e.g. setInterval("evil string...", 1000)
** calls to setInterval using a String argument, e.g. setInterval("evil string...", 1000)
** new Function constructor, e.g. var f = new Function("evil string...")
** calls to the Function constructor, e.g. var f = new Function("evil string...")
</font>
</font>
<font color="#060">
<font color="#060">
* Allowed:
* User Agents MUST not block:
** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code }
** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code }
** setTimeout called with a Function argument, e.g. setTimeout(myFunc, 1000)
** calls to setTimeout using a Function argument, e.g. setTimeout(myFunc, 1000)
** setInterval called with a Function argument, e.g. setInterval(myFunc, 1000)
** calls to setInterval using a Function argument, e.g. setInterval(myFunc, 1000)
</font>
</font>
* Justification:
** eval and related functions make trivial the task of generating code from strings, which commonly come from untrusted sources, are loaded via insecure protocols, and can become tainted with attacker controlled data.
** Once tainted data has been introduced to a JavaScript program, it is extremely difficult to control its propogation and calls to eval and similar are likely to incorporate tainted strings containing malicious code.
** Note: the common AJAX pattern in which a site makes a XMLHttpRequest to fetch JSON data is still enabled under CSP using a JSON parser or inside a browser that has native JSON support.
* Sites may opt-out of this entire restriction by adding the <tt>eval-script</tt> keyword to the [[Security/CSP/Spec#options|options]] directive.  This allows the blocked <tt>eval()</tt>, <tt>setTimeout()</tt>, <tt>setInterval()</tt>, and <tt>new Function()</tt> calls to proceed.
* Vulnerability types mitigated:
*# AJAX request tampering
*# Improper use of dynamic properties


'''On Violation:''' a violation report will be sent with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no code will be created with strings".
User Agents must generate and send a violation report with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no code will be created with strings" when this base restriction is violated.


===No data: URIs unless opted-in to via explicit policy===
===No data: URIs unless opted-in to via explicit policy===
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/206840"