SummerOfCode/2012/UserCSP/Wiki
Title: User Specified Content Security Policy
Developer: Kailas Patil < patilkr24 AT gmail DOT com >
Contents
Goal
The goal of this project is to allow developers savvy users to be able to voluntarily specify their own Content Security Policy (CSP) for websites that may not have implemented CSP.
Overview
We developed an add-on called "userCSP" that hooks into Firefox's CSP implementation to allow a user to specify a policy for a web page. Not only does it allow a user to specify policy for a website, it also allows user to calculate the strictest policy or loosest policy from the policy specified by the add-on user and the policy specified by the website.
The add-on provides a GUI tool for the user that includes the twelve Firefox CSP directives, each listed in separate tabs (ex: default-src, imgsrc, scriptsrc, framesrc, report-uri, etc). The user uses this tool to specify CSP policies for websites. When the response of a web page is received by the browser, the add-on will check whether the user has specified CSP policy for the page. If so, it will apply the user's policy, the same way it would have applied a policy set by the website.
Functionality and How it works
1. Domain name selection list
The userCSP add-on UI contains drop-down list for domain selection. The domain selection list contains the websites that the user has opened in the browser. In addition to this, it also contains an entry "* (Every Website)". The "* (Every Website)" option is used to allow users to specify general rules for all websites the users visits that do not have a website or user CSP policy set. If a user has set a policy for website and also set a policy for "* (Every Website)", then the user policy set for the website takes precedence over the "* (Every Website)". If a website has set a CSP policy in their header and the user has set a policy for "* (Every Website)", then the policy set by the website takes precedence over the "* (Every Website)" </p>
2. Tabs in the UI
For each domain there are total 14 tabs shown in the UI to the user:
All, Infer-CSP, default-src, script-src, object-src, image-src, media-src, style-src, frame-src, font-src, xhr-src, frame-ancestors, report-uri, Help.
Except for the "All", “Infer Policy”, and "Help" tab, the other tabs are CSP directives used in Firefox. They are used to allow a user to specify a CSP rule for that CSP directive. Each directive tab contains the following:
- A "website rule" list used to display website specified rules for the selected directive.
- A text input field is used to allow users to write a rule for the selected directive.
- An "Add" button is used to add a rule the user has typed in the text input field into "user rule" list (after checking that the rule complies with the W3C standard.
- A "user rule" list used to show the user written rules for the directive.
- A "Save User Rules" button used to save user specified rules for the selected domain and the selected directive tab.
The "All" tab is used to display the complete website defined CSP policy, as well as complete user defined CSP policy. It also allows users to calculate the Strictest Policy and Loosest Policy from the user defined CSP and the website defined CSP. Moreover, it also allows user to select a policy for a website from the four possible values - Website CSP rules, User CSP rules, Combine Strict Rules or Combine Loose Rules. By-default website CSP rules are selected.
In addition to this, when the User CSP rules are selected, the "All" tab also allows users to enable or disable inline scripts and inline evals.
3. Combine Strict CSP
If both website and user defined CSP rules for a website are available then this feature allow users to apply the strictest subset CSP policy which is calculated from the website defined CSP and the user defined CSP. For example, when you strictly combine website specified policy img-src 'self' with user specified policy img-src "*", the combined policy img-src 'self' is set.
4. Combine Loose CSP
If both website and user defined CSP rules for a website are available then this feature allow users to apply the loosest subset CSP policy which is calculated from the website defined CSP and the user defined CSP. For example, when you loosely combine website specified policy img-src 'self' with user specified policy img-src "*", the combined policy img-src "*" is set.
Why it is useful?
According to OWASP top vulnerability list, cross-site scripting (XSS) is among the top five web application vulnerabilities. It allows attackers to inject malicious code or resources from attacker domains into the document of the vulnerable web page. Browsers are not able to distinguish which content is legitimate and which content is malicious. Therefore, Content Security Policy is used to enable the browser to identify potentially malicious injected content in a web page.
By-default CSP doesn't allow inline scripts and eval, which are used by almost all websites. Therefore to use CSP, websites are required to change their code (or allow these and hence remain open to some potential attacks). The requirement of this change is hindering the adaptation of CSP by web applications (websites). However, there are savvy users who prefer security over usability. In addition, web sites developers need a tool to test different CSP rules for their own websites to secure their users and achieve usability. The "userCSP" add-on we developed addresses these issues.
The "userCSP" add-on allows savvy users to specify CSP to particular websites or to specify general CSP rules that are enforced on each and every website a user visits. Moreover, it allows website developers to try different CSP rules to adapt the best suited CSP policy for their website.
Technical details:
1. Database
The "userCSP" add-on used sqlite database to store user defined CSP rules for a website.
2. Event Interception
This add-on is developed using the Jetpack SDK. We intercepted various events like the "READY", "ACTIVATE", and "CLOSE" events on tab. The READY event is used to retrieve a list of open websites in a user's Firefox web browser. The ACTIVATE event is used to select the currently active domain in the web browser. The CLOSE event is used to remove a domain name from the UI if a user closes it's corresponding tab.
The "http-on-examine-response" observer notification is used to intercept the HTTP response. In the intercepted response, the domain that initiated the request is checked against the database to determine whether user defined rules or "* (Every Website)" CSP rules are available. If there are no rules associated with the website, the response is processed without any change. However, if user defined CSP rule exists, the "X-Content-Security-Policy" header is added to the response with the rules specified by user. It replaces the existing "X-Content-Security-Policy" header if it is already set by website.
3. Compatibility Issues/ Limitations
The current implementation of userCSP add-on does not completely follow the W3C CSP 1.0 standard, but complies with Firefox's current implementation. Therefore, we used "X-Content-Security-Policy" header, whereas according to W3C CSP 1.0 standard uses the "Content-Security-Policy" header. Firefox is in process to support CSP 1.0 standard.
Another limitation of Firefox's current implementation and hence this add-on is the use of the "Options" CSP directive to allow or disallow inline scripts and inline evals. Whereas in CSP 1.0, inline javascript and evals are set in "script-src" directive and inline css is set in the “style-src” directive.