[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor

Subject: [tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 09 May 2015 03:32:53 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 08 May 2015 23:33:01 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-------------------------------------+----------------------
 Reporter:  isis                     |          Owner:  isis
     Type:  enhancement              |         Status:  new
 Priority:  major                    |      Milestone:
Component:  BridgeDB                 |        Version:
 Keywords:  bridgedb-https security  |  Actual Points:
Parent ID:                           |         Points:
-------------------------------------+----------------------
 Now that BridgeDB uses a tiny bit of Javascript on the
 https://bridges.torproject.org/bridges page (to facilitate displaying the
 QR code and selecting all the bridge lines), we should consider possibly
 adding a [http://www.html5rocks.com/en/tutorials/security/content-
 security-policy/ "Content-Security-Policy" (CSP) HTTP header] to responses
 from BridgeDB's HTTP(S) server.

 While the XSS attack surface of BridgeDB is essentially non-existent, the
 idea is instead that a malicious bridge could specify in its Pluggable
 Transport arguments in its extrainfo descriptor something like:

 {{{
 transport obfs4 1.1.1.1:1111 evil=<script>[â]</script>
 }}}

 If BridgeDB added the CSP HTTP header:
 {{{
 Content-Security-Policy: default-src 'self'
 }}}

 Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is
 Turing-complete), and loading of fonts, images, blobs, scripts and
 basically every other type of content from external sources (i.e.
 everything other than https://bridges.torproject.org), would all be
 disabled. The only downside appears to be that CSP is not implemented in
 IE, so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in
 China (there are ''a lot'' of these boxes in China) could still be
 attacked.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #1517 [Tor Browser]: Provide JS with reduced time precision
Next by Author: Re: [tor-bugs] #12877 [Tor]: Investigate Unmeasured relays that get the Fast flag
Previous by thread: Re: [tor-bugs] #15967 [BridgeDB]: Separate BridgeDB's CAPTCHA into another service
Next by thread: Re: [tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
Index(es):
- Author
- Thread