MozillaWiki

SummerOfCode/2012/UserCSP/Wiki

< SummerOfCode‎ | 2012‎ | UserCSP
Revision as of 17:24, 17 August 2012 by Patilkr (talk | contribs) (Created page with "<p><b>Title:</b> User Specified Content Security Policy </p><p><b>A. Goal:</b> The goal of this project is to allow savvy users to be able to voluntarily specify their own Cont...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Title: User Specified Content Security Policy

A. Goal: The goal of this project is to allow savvy users to be able to voluntarily specify their own Content Security Policy (CSP) for websites that may not have implemented CSP.

B. Overview:

We developed an add-on called "userCSP" that hooks into Firefox's CSP implementation to allow a user to specify a policy for a web page. Not only does it allow a user to specify policy for a website, it also allows user to calculate the strictest policy or loosest policy from the policy specified by the add-on user and the policy specified by the website.

The add­on provides a GUI tool for the user that includes the twelve Firefox CSP directives, each listed in separate tabs (ex: default-src, img­src, script­src, frame­src, report-uri, etc). The user uses this tool to specify CSP policies for websites. When the response of a web page is received by the browser, the add­on will check whether the user has specified CSP policy for it. If so, it will apply the user's policy the same way it would have specified a policy set by the website.


C. Functionality and How it works:

1. Domain name selection list:

The userCSP add-on UI contains drop-down list for domain selection. The domain selection list contains the website names that are open by user in the browser. In addition to this, it also contains an entry "* (Every Website)". The "* (Every Website)" option is used to allow users to specify general rules for all websites the users visits that does not have a website or user CSP policy set. If a user has set a policy for website and also set a policy for "* (Every Website)" then user policy set for website takes precedence over the "* (Every Website)".

2. Tabs in the UI:

For each domain there are total 12 tabs shown in the UI to the user: All, default-src, script-src, object-src, image-src, media-src, style-src, frame-src, font-src, xhr-src, frame-ancestors, report-uri.

Except for the "All" and “Infer Policy” tab, the other tabs are CSP directives used in Firefox. They are used to allow a user to specify a CSP rule for that CSP directive. Each directive tab contains the following:

A "website rule" list used to display website specified rules for the selected directive.

A text input field is used to allow users to write a rule for the selected directive. An "Add" button is used to add the rule written by user in the text input field into "user rule" list if the rule complies with the W3C standard. A "user rule" list used to show the user written rules for the directive. A "Save User Rules" button used to save user written for the selected domain and the selected directive tab.


The "All" tab is used to display the complete website defined CSP policy, as well as complete user defined CSP policy. It also allows users to calculate the Strictest Policy and Loosest Policy from the user defined CSP and the website defined CSP. Moreover, it also allows user to select a rule for website from the four possible values - Website CSP rules, User CSP rules, Combine Strict Rules or Combine Loose Rules. By-default website CSP rules are selected.

In addition to this, when the User CSP rules are selected, the "All" tab also allows users to enable or disable inline scripts and inline evals.


3. Combine Strict CSP If both website and user defined CSP rules for a website are available then this feature allow users to apply the strictest subset of CSP policy calculated from the website defined CSP and the user defined CSP. For example, when you strictly combine img-src 'self' set by the website and img-src "*" set by the user, img-src 'self' is set.

4. Combine Loose CSP

If both website and user defined CSP rules for a website are available then this feature allow users to apply the loosest subset of CSP policy calculated from the website defined CSP and the user defined CSP. For example, when you loosely combine img-src 'self' set by the website and img-src "*" set by the user, img-src "*" is set.


D. Why it is useful?

According to OWASP top vulnerability list, cross-site scripting (XSS) is among the top five web application vulnerabilities. It allows attackers to inject malicious code or resources from attacker domains into the document of the vulnerable web page. Browsers are not able to distinguish which content is legitimate and which content is malicious. Therefore, Content Security Policy is used to enable the browser to identify potentially malicious injected content in a web page.

By-default CSP doesn't allow inline scripts and eval, which are used by almost all website. Therefore to use CSP policy, websites requires to change their code. The requirement of this change is hindering the

adaptation of CSP by web applications (websites). However, there are savvy users who prefer security over usability. In addition, web sites developers need a tool to test different CSP rules for their website to secure their users and achieve usability. The "userCSP" add-on we developed addresses these issues. [Tanvi: just a note- this is a very good paragraph!]

The "userCSP" add-on allows savvy users to specify CSP to particular websites or to specify general CSP rules that is enforced on each and every website a user visits. Moreover, it allows website developers to try different CSP rules to adapt the best suited CSP policy for their website.




E. Technical details:

1. Database

The "userCSP" add-on used sqlite database to store user defined CSP rules for a website.


2. Event Interception 

This add-on is developed using the Jetpack SDK. We intercepted various events like the "READY", "ACTIVATE", and "CLOSE" events on tab. The ready event is used to retrieve a list of open websites in a user's Firefox web browser. The activate event is used to select the currently active domain in the web browser. The close event is used to remove the domain name from the UI if a user closes the tab.

The "http-on-examine-response" observer notification is used to intercept the HTTP response. In the intercepted response, the domain that initiated the request is checked against the database to determine whether user defined rules or "* (Every Website)" CSP rules are available. If there are no rules associated with the website, the response is processed without any change. However, if user defined CSP rule exists, the "X-Content-Security-Policy" header is added to the response with the rules specified by user. [Tanvi - Does this replace the existing X-Content-Security-Policy header if it is already set?]


3. Compatibility Issues/ Limitations:

The current implementation of userCSP add-on does not completely follow the W3C CSP 1.0 standard, but complies with Firefox's current implementation. Therefore, we used "X-Content-Security-Policy" header, whereas according to W3C CSP 1.0 standard uses the "Content-Security-Policy" header. Firefox is in process to support CSP 1.0 standard.

Another limitation of Firefox's current implementation and hence this add-on is the use of the "Options" CSP directive to allow or disallow inline scripts and inline evals. Whereas in CSP 1.0, inline javascript and evals are set in "script-src" directiv and inline css is set in the “style-src” directive.

F. Source code on GitHub:

https://github.com/patilkr/userCSP


Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2012/UserCSP/Wiki&oldid=461967"