Opened 4 years ago

Closed 4 years ago

#15968 closed enhancement (fixed)

Add a "Content-Security-Policy" header to BridgeDB's HTTPS Distributor

Reported by: isis Owned by: isis
Priority: High Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: bridgedb-https, security, bridgedb-0.3.3
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by isis)

Now that BridgeDB uses a tiny bit of Javascript on the https://bridges.torproject.org/bridges page (to facilitate displaying the QR code and selecting all the bridge lines), we should consider possibly adding a "Content-Security-Policy" (CSP) HTTP header to responses from BridgeDB's HTTP(S) server.

While the XSS attack surface of BridgeDB is essentially non-existent, the idea is instead that a malicious bridge could specify in its Pluggable Transport arguments in its extrainfo descriptor something like:

transport obfs4 1.1.1.1:1111 evil=<script>[…]</script>

If BridgeDB added the CSP HTTP header:

Content-Security-Policy: default-src 'none'; base-uri https://bridges.torproject.org; script-src https://bridges.torproject.org; style-src https://bridges.torproject.org; img-src https://bridges.torproject.org data:; font-src https://bridges.torproject.org; frame-options 'deny';

Then inline Javascript, inline CSS (CSS3, when combined with HTML5, is Turing-complete), and loading of fonts, images, blobs, scripts and basically every other type of content from external sources (i.e. everything other than https://bridges.torproject.org), would all be disabled. The only downside appears to be that CSP is not implemented in IE (not until IE10, which apparently has limited support), so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in China (there are a lot of these boxes in China) could still be attacked.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by isis

Description: modified (diff)

comment:2 Changed 4 years ago by bastik

a malicious bridge could specify in its Pluggable Transport arguments in its extrainfo descriptor

I assume it is hard to sanitize the descriptor without breaking anything. Although it would benefit all users if script tags would be filtered out and pluggable transports don't use them.

The only downside appears to be that CSP is not implemented in IE (not until IE10, which apparently has limited support), so all BridgeDB's users running IE6 and IE7 on WindowsXP boxes in China (there are a lot of these boxes in China) could still be attacked.

If you had to choose (exclusively) between something that is safe for all and safe for some it is arguably better to have it safe for all of them. With every new technology, like DEP, ASLR and CSP, older machines with its outdated software are left behind.

It is only a downside if it is an option among (many) others. Thus far it is an improvement over the current status. Users unable to upgrade their machines to newer OSes and therefore the built-in browser can use alternative browsers as long as they support those OSes.

Users on older OSes can still use the service as usual, it does not break, it is not less secure than before. IMO the users on XP should not hinder the implementation of CSP, as there is no negative impact.

comment:3 in reply to:  2 Changed 4 years ago by isis

Replying to bastik:

a malicious bridge could specify in its Pluggable Transport arguments in its extrainfo descriptor

I assume it is hard to sanitize the descriptor without breaking anything. Although it would benefit all users if script tags would be filtered out and pluggable transports don't use them.


We do this too. See commit faf48983 and commit ccb3b8d1.

comment:4 Changed 4 years ago by isis

Keywords: bridgedb-0.3.3 added
Status: newneeds_review

I've added a twisted.web.resource.Resource class for BridgeDB's HTTPS Distributor, called CSPResource which adds methods that the other resources inherit which set the CSP header for the HTTP response. My changes are in my 15968-16649-csp-and-mobile branch.

The default CSP header is controllable via some config file options:

# Content Security Policy Settings
# --------------------------------                                    

# (boolean) If True, enable use of CSP headers.  This must be True for any
# other CSP-related options to have any effect.
#         
# If enabled, the default Content Security Policy (CSP) is:
#       
#     default-src 'none' ;
#     base-uri FQDN ;
#     script-src FQDN ;
#     style-src FQDN ;
#     img-src FQDN data: ;
#     font-src FQDN ;
#       
# where "FQDN" is the value of the SERVER_PUBLIC_FQDN config setting.
#       
# If CSP_INCLUDE_SELF is enabled, then "'self'" (literally, the word self
# surrounded by single-quotes) will be appended to the value of the
# SERVER_PUBLIC_FQDN config setting to create the "FQDN".

CSP_ENABLED = True

# (boolean) If True (and CSP_ENABLED is also True), then set a "report-only"
# Content Security Policy.  This means that client agents which run into
# problems with or cause violations of our CSP settings will report data
# regarding the problems/violations.  This report data is then logged (at the
# DEBUG level), along with the client's IP address (only if SAFELOGGING is
# disabled, otherwise the client's IP address is not reported).

CSP_REPORT_ONLY = False

# (boolean) If True, then append "'self'" to the "FQDN" in the default CSP
# header described above.

CSP_INCLUDE_SELF = True

comment:5 Changed 4 years ago by isis

Resolution: fixed
Status: needs_reviewclosed

Merged for BridgeDB 0.3.3.

In the future, once they are more supported by browsers, we may want to look into also including the reflected-xss and frame-ancestors Content Security Polivy v2.0 directives.

Note: See TracTickets for help on using tickets.