[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat May 9 05:14:29 UTC 2015
#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-----------------------------+-------------------------------------
Reporter: isis | Owner: isis
Type: enhancement | Status: new
Priority: major | Milestone:
Component: BridgeDB | Version:
Resolution: | Keywords: bridgedb-https security
Actual Points: | Parent ID:
Points: |
-----------------------------+-------------------------------------
Description changed by isis:
Old description:
> Now that BridgeDB uses a tiny bit of Javascript on the
> https://bridges.torproject.org/bridges page (to facilitate displaying the
> QR code and selecting all the bridge lines), we should consider possibly
> adding a [http://www.html5rocks.com/en/tutorials/security/content-
> security-policy/ "Content-Security-Policy" (CSP) HTTP header] to
> responses from BridgeDB's HTTP(S) server.
>
> While the XSS attack surface of BridgeDB is essentially non-existent, the
> idea is instead that a malicious bridge could specify in its Pluggable
> Transport arguments in its extrainfo descriptor something like:
>
> {{{
> transport obfs4 1.1.1.1:1111 evil=<script>[…]</script>
> }}}
>
> If BridgeDB added the CSP HTTP header:
> {{{
> Content-Security-Policy: default-src 'self'
> }}}
>
> Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is
> Turing-complete), and loading of fonts, images, blobs, scripts and
> basically every other type of content from external sources (i.e.
> everything other than https://bridges.torproject.org), would all be
> disabled. The only downside appears to be that CSP is not implemented in
> IE, so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in
> China (there are ''a lot'' of these boxes in China) could still be
> attacked.
New description:
Now that BridgeDB uses a tiny bit of Javascript on the
https://bridges.torproject.org/bridges page (to facilitate displaying the
QR code and selecting all the bridge lines), we should consider possibly
adding a [http://www.html5rocks.com/en/tutorials/security/content-
security-policy/ "Content-Security-Policy" (CSP) HTTP header] to responses
from BridgeDB's HTTP(S) server.
While the XSS attack surface of BridgeDB is essentially non-existent, the
idea is instead that a malicious bridge could specify in its Pluggable
Transport arguments in its extrainfo descriptor something like:
{{{
transport obfs4 1.1.1.1:1111 evil=<script>[…]</script>
}}}
If BridgeDB added the CSP HTTP header:
{{{
Content-Security-Policy: default-src 'none'; base-uri
https://bridges.torproject.org; script-src https://bridges.torproject.org;
style-src https://bridges.torproject.org; img-src
https://bridges.torproject.org data:; font-src
https://bridges.torproject.org; frame-options 'deny';
}}}
Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is
Turing-complete), and loading of fonts, images, blobs, scripts and
basically every other type of content from external sources (i.e.
everything other than https://bridges.torproject.org), would all be
disabled. The only downside appears to be that CSP is not implemented in
IE (not until IE10, which apparently has limited support), so all
BridgeDB's users running IE6 and IE7 on WindowsXP boxes in China (there
are ''a lot'' of these boxes in China) could still be attacked.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list