Rahul, On 2/21/18 9:55 AM, Rahul Chhabra wrote: > > On Sat, Feb 17, 2018 at 4:30 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Mark, > > On 2/14/18 7:39 AM, Mark Thomas wrote: >>>> On 14/02/18 11:51, Harrison & Wells wrote: >>>>> Sorry to disturb you. >>>> >>>> Not at all. >>>> >>>>> I read the Contributing.md >>>>> <https://github.com/apache/tomcat/blob/trunk/CONTRIBUTING.md> on >>>>> your github mirror and even found the beginner issues >>>>> <https://bz.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status > =ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&keywords=Beginner&keyw > ords_type=allwords&list_id=160824&product=Tomcat%207&product=Tomcat%208& > product=Tomcat%209&query_format=advanced> >>>>> >>>>> > . >>>>> Except there are only three of them, out of which one is already >>>>> solved, one is a case of XML validation (not a bug, technically) >>>>> and one can be solved using a filter. >>>>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=58837> So I >>>>> decided I could go with the filter one but man, CSP is complex >>>>> and I don't think one could just do a general 'default-src' >>>>> because even that can be pretty tight. So it is a bit unclear. >>>>> Thanks for reading. I'd appreciate any help in getting started. >>>> >>>> I agree with you completely regarding the complexity of CSP. I'm >>>> not convinced that a CSP specific filter is possible. > > I guess is just depends upon one's perspective and requirements. For > our CSP, we just said "we need a sane policy like [no scripts from > other domains]" and that applies everywhere. That can be some with a > dead-simply Filter that just regurgitates the same CSP for every request > . > > But if you want a Filter that tries to guess what the policy of a > particular page should be, well, then you are indeed going to build a > PHD-worthy Filter. > >>>> Igal's suggestion in comment #6 is probably the way to go. A >>>> generic HTTP header filter. I'd look at httpd's mod_headers module >>>> for inspiration for the sort of features a generic HTTP header >>>> filter should provide. > > Or just use the rewrite filter Tomcat already provides, if the > requirements are simple enough. > >>>> I don't think the first iteration needs to completely cover all of >>>> the mod_headers functionality (adding headers to the response is >>>> probably enough at this point) but having the eventual >>>> functionality in mind will ensure that configuration parameters >>>> (likely filter parameters in this case) are chosen appropriately. > > The only other thing I can think of that a CSP filter could provide > would be the "signing" capabilities. > > CSP can say "it's okay to run a script as long as the hash of the > script is #foo". That means that the script-hasher and the CSP header > have to agree. So perhaps the Filter could maintain an LRU list of > hashes produced elsewhere (and possible run through the Filter). I > think this is a big rathole that ... probably nobody should bother to > go down. > > One can also use a nonce. Technically, the nonce should be one-time > use (it's called a nonce ffs!), but since you have to actually use it > twice for it to be useful, I think it's okay for e.g. a Filter to emit > the same nonce multiple times, for a short period of time.
> Rahul wrote: > Obviously, *guessing *a policy is beyond mortal comprehension. > > We could take the value as an init parameter. > Then whenever the filter is applied, it just puts that CSP. > <init-parameters> > <init-parameter> > <name>default-src</name> > <value>'none'</value> > </init-parameter> > </init-parameters> > > That's one way to make a CSP filter and preserve your sanity Yes, that's basically what I had in mind. This should be able to be done with Tomcat's RewriteValve -- configuration only and no additional code. So I'm not entirely sure what a CSP-specific Filter/Valve could hope to achieve. -chris
signature.asc
Description: OpenPGP digital signature
