One of Dropbox's Web Security Protection Policies: Content Security Policy (CSP)-based reporting and filtering mechanisms

One of Dropbox's Web Security Protection Policies: Content Security Policy (CSP)-based reporting and filtering mechanisms

One of Dropbox's Web security protection measures is to use content-based security policies (CSPs ). Devdatta Akhawe, a security engineer of Dropbox, introduced the details and experience of CSP in Dropbox through four articles. The CSP principle of Dropbox greatly reduces XSS and content injection attacks. However, large-scale use of strict CSP rules will face many challenges. We hope that through these four CSP series, we will share the benefits of Dropbox In the CSP practice with a wide range of development community friends. The first article describes how to set a report filtering pipeline in rules to mark errors. The second article describes how Dropbox configures random numbers and mitigates in the above rules.unsafe-inlineThe third section introduces how to reduce security risks.unsafe-evalRisks and open-source patches developed by Dropbox. The last article describes how to reduce the risk of third-party software integration under the permission separation mechanism. This is the first article in this series. It mainly discusses CSP reports and filtering mechanisms.

Dropbox always strictly implements the Content Security Policy (CSP ). If you are not familiar with CSP rules, read Excellent Introduction to CSP by Mike West. Simply put, CSP's core is a descriptive mechanism that adds Reliable Content sources (scripts, objects, image sources, etc.) to the whitelist in Web applications.

CSP restricts the content source, thus reducing the risk of injection attacks in Web applications. The following example showsscript-srcCommand.

script-src https://www.google.com/recaptcha/api/https://ajax.googleapis.com/ajax/libs/jquery/  https://cf.dropboxstatic.com/static/api/https://cf.dropboxstatic.com/static/javascript/  https://cf.dropboxstatic.com/static/coffee/compiled/https://www.dropboxstatic.com/static/javascript/ https://www.dropboxstatic.com/static/coffee/ 'unsafe-eval' 'self' 'unsafe-inline' 'nonce-w+NfAhVZiaXzHT1RmBqS'

The command lists all trusted Uris (including the full paths supported by the browser), which can be used to load the required script code. When the web browser that supports CSP detects the script tag, it then checks the src attribute andscript-srcCommand White List. If the source of the script is not in the whitelist (for example, the cause of the HTML injection vulnerability), the browser will block the request.

CSP Error Report Filter

Currently, it is difficult to identify and execute CSP headers for complex web applications. However, there is a small trick allowed by CSP to solve this problem, which is the report-only mode. The key method of report-only mode is to allow Web page testing rules to influence the error report sent to the terminal selected by the setter. For example, you can set one itemscript-src ‘none’The report-only rule is used to obtain the location of all script sources.

The report-only mode greatly enhances the feasibility of CSP: first, the rules set are iterated repeatedly in the report-only mode until no error reports exist, and then converted to the execution mode. This step is often the first step of preparation recommended before CSP enters the execution mode. In a recent seminar attended by the author, the security mechanism Expert Group focused on how the report-only mode of CSP can effectively promote the use of CSP, it can evaluate the effect of a rule before it is used.

CSP's reporting function is indispensable for obtaining effective feedback on implemented rules. Dropbox used the report-only mode for several months before converting to CSP's "blocking" mode. But at the beginning of large-scale CSP use, we encountered the first problem: the sheer noise in the report will invalidate the default reporting mechanism.

We found that the biggest noise source is the browser extension tool. The extension tool may have modified HTML by inserting scripts or other programs in the webpage. Because CSP will block all unknown content running on the webpage, therefore, the content injected into the webpage may be blocked by the browser. If we only add all received reports to the log, the log also contains the preceding errors. Because we cannot control the extension tool, there is no way to do so without adding the error message in the report.

After one year of CSP large-scale application practices, Dropbox has completed a precisely adjusted filtering mechanism, which can ignore common false positives. Our reporting pipeline filters out the report content of false positives and then adds valid reports to the analysis and processing background. In the spirit of CSP promotion, Dropbox will share this filter technology and hope other developers can use it. We strongly recommend that you read this article about precision CSP list by Neil Matatall. In fact, the list we use also references the technology involved in this article.

At first glance, the screening error report seems a bit strange. Why don't you want to know when the advertisement insertion and webpage spam have changed the webpage application? However, here we are talking about the pre-use phase of CSP. The main focus is that the content whitelist of CSP will not cause the web application to crash. Filters out the noise in the report to ensure that the Web application is modified properly during CSP execution. Once switched to CSP execution mode, the browser blocks the operation based on the filtered report.

A filter is a dual structure. The first layer filters out blocked Uris.

_ignored_blockedURI_schemas = ["http:",# We never use HTTP content so not a legit report"mxaddon-pkg",# maxthon addon packages"jar:",# firefox addons"file:",#we never insert file URIs into the page"tmtbff://",# ticketmaster toolbar?"safari",# safari extensions"chrome",# stuff like chromenull: chrome:// chrome-extension://"webviewprogressproxy:",# added by browsers in webviews"mbinit:",# MapBuilder"symres:",# Norton"resource",];

If the blocked URI starts with any item in the list, ignore it. The second layer filters the subject part based on the blocked URI.

_ignored_blockedURI_hosts=["tlscdn",".superfish.com", "addons.mozilla.org", "v.zilionfast.in","widgets.amung.us","xls.searchfun.in","static.image2play.com","localhost","127.0.0.1","guzzlepraxiscommune","tfxiq","akamaihd.net", #Dropbox doesn't use Akamai CDN"apollocdn","worldssl.net","shwcdn.net","cmptch.com","datafastguru.info","eshopcomp.com","hwcdn.net",]

If the entity part of the blocked URI contains any of the above keywords, the filter code will not add the Error Report to the log. Before using this list, make sure that no domain name in the list is used on your website.

The extension tool for modifying CSP rules is another source of noise. To ignore such errors, the filters are also designed based on the violated ctictive field ). If the offending command field contains "http:" or ": 443", the report filters out because the rule does not contain the content. To do this, we consider using the following method: add the hash table of the current rule to the report URI, and then only accept the report where the rule in the error report conforms to the hash table in the URI. However, we have not put this method into practice yet.