Darien Valentine (2018-06-20T01:50:24.000Z)
valentinium at gmail.com (2018-06-20T01:57:27.734Z)
Aha! Thanks. I think I get what you mean now. Let’s say I have this CSP: ``` content-security-policy: script-src 'nonce-foo' ``` And I have this in my document: ``` <script nonce=foo type=module> import 'data:text/javascript,console.log(`bar`)'; </script> ``` Then the browser could theoretically ignore the absence of 'data:' in the CSP safely because the import statement here is part of a nonce-allowed script. And the unsafety is adding `data:` to the CSP (which would then be available for third party scripts I might also allow), not using `data:` in my own trusted modules; and there is a minor bit of unsafety associated with dynamic import, but it’s not in the same league as the unsafety potentially implied by a blanket permission for all `data:` URI sources. I was surprised that this nuance was considered. I figured it just blindly asked "is this source permitted by the CSP" without taking into account whether the trust from a parent resource could be implicitly extended. But I see you’re totally right: ``` <!DOCTYPE html> <meta http-equiv=content-security-policy content="script-src 'nonce-foo'"> <script nonce=foo type=module> import 'data:text/javascript,document.open();document.writeln(`<p>static import of data URI module worked</p>`)'; document.writeln(`<p>nonce module worked</p>`); import('data:text/javascript,document.writeln(`<p>dynamic import of data URI module worked</p>`)'); </script> ``` demo: https://necessary-hallway.glitch.me/ All three seem to work! Very cool. Sorry for the diversion from the main topic. This was really interesting and I appreciate the explanation.
valentinium at gmail.com (2018-06-20T01:52:20.843Z)
Aha! Thanks. I think I get what you mean now. Let’s say I have this CSP: ``` content-security-policy: script-src 'nonce-foo' ``` And I have this in my document: ``` <script nonce=foo type=module> import 'data:text/javascript,console.log(`bar`)'; </script> ``` Then the browser could theoretically ignore the absence of 'data:' in the CSP safely because the import statement here is part of a nonce-allowed script. And the unsafety is adding `data:` to the CSP (which would then be available for third party scripts I might also allow), not using `data:` in my own trusted modules; and there is a minor bit of unsafety associated with dynamic import, but it’s not in the same league as the unsafety potentially implied by a blanket permission for all `data:` URI sources. I was surprised that this nuance was considered. I figured it just blindly asked "is this source permitted by the CSP" without taking into account whether the trust from a parent resource could be implicitly extended. But I see you’re totally right: ``` <!DOCTYPE html> <meta http-equiv=content-security-policy content="script-src 'nonce-foo'"> <script nonce=foo type=module> import 'data:text/javascript,document.open();document.writeln(`<p>static import of data URI module worked</p>`)'; document.writeln(`<p>nonce module worked</p>`); import('data:text/javascript,document.writeln(`<p>dynamic import of data URI module worked</p>`)'); </script> ``` demo: https://necessary-hallway.glitch.me/ All three seem to work! Very cool. Sorry for the diversion from the main topic. This was really interesting and I appreciate the explanation.