[tor-bugs] #15968 [BridgeDB]: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 9 07:48:50 UTC 2015 

#15968: Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor
-----------------------------+-------------------------------------
     Reporter:  isis         |      Owner:  isis
         Type:  enhancement  |     Status:  new
     Priority:  major        |  Milestone:
    Component:  BridgeDB     |    Version:
   Resolution:               |   Keywords:  bridgedb-https security
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-------------------------------------

Comment (by bastik):

 >a malicious bridge could specify in its Pluggable Transport arguments in
 its extrainfo descriptor

 I assume it is hard to sanitize the descriptor without breaking anything.
 Although it would benefit all users if script tags would be filtered out
 and pluggable transports don't use them.

 >The only downside appears to be that CSP is not implemented in IE (not
 until IE10, which apparently has limited support), so all BridgeDB's users
 running IE6 and IE7 on WindowsXP boxes in China (there are a lot of these
 boxes in China) could still be attacked.

 If you had to choose (exclusively) between something that is safe for all
 and safe for some it is arguably better to have it safe for all of them.
 With every new technology, like DEP, ASLR and CSP, older machines with its
 outdated software are left behind.

 It is only a downside if it is an option among (many) others. Thus far it
 is an improvement over the current status. Users unable to upgrade their
 machines to newer OSes and therefore the built-in browser can use
 alternative browsers as long as they support those OSes.

 Users on older OSes can still use the service as usual, it does not break,
 it is not less secure than before. IMO the users on XP should not hinder
 the implementation of CSP, as there is no negative impact.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15968#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list