Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is Snow useless without CSP? #109

Closed
weizman opened this issue Jun 22, 2023 · 2 comments
Closed

Is Snow useless without CSP? #109

weizman opened this issue Jun 22, 2023 · 2 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed

Comments

@weizman
Copy link
Member

weizman commented Jun 22, 2023

I'm lately coming to the realization that Snow cannot protect same origin realms completely and will need some help from CSP.
I'd like to start an initiative around encouraging users to remember to use Snow while implementing some baseline of CSP. This creates a few tasks:

  1. Research and understand what are the things and what is the spectrum Snow won't be able to defend against
  2. Come up with a CSP that is as permissive as possible while as helping to Snow with protection as possible
  3. Make it clear in documentation that this level of CSP is needed, explain it and break down the different directives
  4. Create a hardened version of the demo that applies the CSP, so that we'll be able to differentiate Snow vulns that bypass both Snow and CSP or just Snow

This is important for the future of Snow because it's probably close to useless without CSP since there are some techniques Snow cannot defend against (unfortunately).
@weizman weizman added documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed labels Jun 22, 2023
@weizman
Copy link
Member Author

weizman commented Jul 3, 2023
edited
Loading

Some thoughts

  • Started Enforce Snow integration with CSP #118 which attempts to introduce a base line of CSP to fight off the issues we no longer sure we can solve without it
  • In order for this project to work, we need a good infra for that
  • We need to create an easy way to tell websites if their current CSP allows bypass of Snow
  • To do that, would be neat to have a website that fetches the CSP of a web app, applies it to itself and then runs all of Snow tests
  • Or, maybe instead we should support running snow's current tests against any given website by demand?
  • Also, we need to communicate somehow what's the needed CSP to help Snow stay bulletproof.
  • I don't yet know if the current CSP implemented in Enforce Snow integration with CSP #118 is enough to hold off all snow vulns, including open ones, need to verify
  • And from the other end, need to make sure current Enforce Snow integration with CSP #118 CSP isn't too harsh, would be great to see if it works on MM
  • What would also help is if we communicate the importance of implementing Snow in all same origin pages, this should help with issues such as Snow can be bypassed with ...data: URI #73

This was referenced Jul 10, 2023
Closed
Closed
@weizman weizman mentioned this issue Jul 17, 2023
Merged
@weizman
Copy link
Member Author

weizman commented Jul 17, 2023

Closing for now after merging #118

@weizman weizman closed this as completed Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weizman