Skip to content

Consider relaxing prefetch-src and preload as #542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
noamr opened this issue Mar 2, 2022 · 8 comments · Fixed by #582
Closed

Consider relaxing prefetch-src and preload as #542

noamr opened this issue Mar 2, 2022 · 8 comments · Fixed by #582

Comments

@noamr
Copy link
Contributor

noamr commented Mar 2, 2022

Reading through past decision like introducing prefetch-src and yet-to-be-decided issues like CSP for preconnect and dns-prefetch, I believe we can improve the way these resource hints integrate with CSP. I would like to propose an alternate viewpoint.

The goals of CSP are to prevent:

  • content injection
  • to some extent, exfiltration

A preload and a prefetch (and to a greater degree, preconnect and dns-prefetch) are not in themselves able to "inject content" - their content is not used by the document until discovered by a subsequent fetch that would have to pass CSP checks again. IIUC, the only risk with those hints is exfiltration. Unless there are things CSP comes to prevent that I'm anaware of.

With content injection, the type of resource matters. e.g. you want to allow embedding an image from some particular CDN, but not execute scripts.

But with exfiltration, the type of resource does not make any difference. If cross-origin images are allowed but not scripts, you can still send out requests by piggy-backing them on images.

So, the only way to really prevent exfiltration, is by having something like default-src: none or default-src: self - thus preventing all types of resources from making requests.

So my suggestion is:

  • Resource hints, including prefetch, preconnect, dns-prefetch (and optionally preload without as) would default to the most lenient directive in the current policy regarding the URL in question
  • prefetch-src would still be valid, as a way to relax restictions only for resource hints
@noamr noamr mentioned this issue Mar 2, 2022
Open
@noamr
Copy link
Contributor Author

noamr commented Mar 2, 2022

/cc @mikewest @annevk @yoavweiss

@annevk
Copy link
Member

annevk commented Mar 15, 2022

That seems reasonable.

@noamr noamr mentioned this issue Apr 10, 2022
Closed
@hiroshige-g
Copy link

a subsequent fetch that would have to pass CSP checks again

This is not 100% true for <link rel=preload> because e.g. the subsequent fetch doesn't perform CSP checks on redirects.
Is <link rel=preload> intentionally excluded from the proposal for this reason?

@noamr
Copy link
Contributor Author

noamr commented Apr 26, 2022

a subsequent fetch that would have to pass CSP checks again

This is not 100% true for <link rel=preload> because e.g. the subsequent fetch doesn't perform CSP checks on redirects. Is <link rel=preload> intentionally excluded from the proposal for this reason?

It's included as long as it doesn't have as. If we can relax preload as, we also can relax its CSP to be the same as prefetch.

@noamr noamr mentioned this issue Sep 21, 2022
Open
noamr added a commit to noamr/webappsec-csp that referenced this issue Dec 19, 2022
@noamr
Use "least restrictive" directive instead of prefetch-src
04c1f65 
When prefetching a resource (or preconnecting to an origin),
the destination of the request is unknown and also not important.

e.g. if this resource is a script and would be disallowed by
`script-src`, the directive would be invoked again when the
response is about to be consumed and would be rejected then.

The only security measure valid for prefetch/preconnect is to
avoid exfiltration - i.e. block the request when the default
directive blocks this URL and no other directive allows it.

Closes w3c#542
@noamr noamr mentioned this issue Dec 19, 2022
Merged
@jeremyroman
Copy link

Should Fetch be updated to reflect the removal of this? It still refers to prefetch-src.

@noamr
Copy link
Contributor Author

noamr commented Jan 17, 2023

Should Fetch be updated to reflect the removal of this? It still refers to prefetch-src.

Yes! Good catch, thanks

@annevk
Copy link
Member

annevk commented Feb 8, 2023

whatwg/fetch@a48b8ba

@ingmarh ingmarh mentioned this issue May 5, 2023
Closed
@vejja vejja mentioned this issue Sep 27, 2024
Closed
@vejja
Copy link

vejja commented Sep 27, 2024

+1
Nuxt is facing similar issue as React here.
Would be good if we could also relax preload.
Otherwise <link rel="preload" as="script"> gets blocked even though script itself is authorized.
See nuxt/scripts#280 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use "least restrictive" directive instead of prefetch-src noamr/webappsec-csp
5 participants
@noamr @jeremyroman @annevk @vejja @hiroshige-g