[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat May 9 03:32:53 UTC 2015
#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-------------------------------------+----------------------
Reporter: isis | Owner: isis
Type: enhancement | Status: new
Priority: major | Milestone:
Component: BridgeDB | Version:
Keywords: bridgedb-https security | Actual Points:
Parent ID: | Points:
-------------------------------------+----------------------
Now that BridgeDB uses a tiny bit of Javascript on the
https://bridges.torproject.org/bridges page (to facilitate displaying the
QR code and selecting all the bridge lines), we should consider possibly
adding a [http://www.html5rocks.com/en/tutorials/security/content-
security-policy/ "Content-Security-Policy" (CSP) HTTP header] to responses
from BridgeDB's HTTP(S) server.
While the XSS attack surface of BridgeDB is essentially non-existent, the
idea is instead that a malicious bridge could specify in its Pluggable
Transport arguments in its extrainfo descriptor something like:
{{{
transport obfs4 1.1.1.1:1111 evil=<script>[…]</script>
}}}
If BridgeDB added the CSP HTTP header:
{{{
Content-Security-Policy: default-src 'self'
}}}
Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is
Turing-complete), and loading of fonts, images, blobs, scripts and
basically every other type of content from external sources (i.e.
everything other than https://bridges.torproject.org), would all be
disabled. The only downside appears to be that CSP is not implemented in
IE, so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in
China (there are ''a lot'' of these boxes in China) could still be
attacked.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list