[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor



#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-------------------------------------+----------------------
 Reporter:  isis                     |          Owner:  isis
     Type:  enhancement              |         Status:  new
 Priority:  major                    |      Milestone:
Component:  BridgeDB                 |        Version:
 Keywords:  bridgedb-https security  |  Actual Points:
Parent ID:                           |         Points:
-------------------------------------+----------------------
 Now that BridgeDB uses a tiny bit of Javascript on the
 https://bridges.torproject.org/bridges page (to facilitate displaying the
 QR code and selecting all the bridge lines), we should consider possibly
 adding a [http://www.html5rocks.com/en/tutorials/security/content-
 security-policy/ "Content-Security-Policy" (CSP) HTTP header] to responses
 from BridgeDB's HTTP(S) server.

 While the XSS attack surface of BridgeDB is essentially non-existent, the
 idea is instead that a malicious bridge could specify in its Pluggable
 Transport arguments in its extrainfo descriptor something like:

 {{{
 transport obfs4 1.1.1.1:1111 evil=<script>[â]</script>
 }}}

 If BridgeDB added the CSP HTTP header:
 {{{
 Content-Security-Policy: default-src 'self'
 }}}

 Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is
 Turing-complete), and loading of fonts, images, blobs, scripts and
 basically every other type of content from external sources (i.e.
 everything other than https://bridges.torproject.org), would all be
 disabled. The only downside appears to be that CSP is not implemented in
 IE, so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in
 China (there are ''a lot'' of these boxes in China) could still be
 attacked.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs