Incomplete support for CSP

[edukisto]

Information

• Language: CSP
• Plugins: none

Does the problem still occur in the latest version of Prism?

Yes.

Description

New directives and keywords

From the latest (2018-10-15) working draft of CSP3:

• navigate-to;
• prefetch-src;
• script-src-attr;
• script-src-elem;
• style-src-attr;
• style-src-elem;
• 'report-sample';
• 'unsafe-allow-redirects';
• 'unsafe-hashes'.

From Trusted Types:

• require-trusted-types-for;
• trusted-types;
• 'allow-duplicates';
• 'script'.

These are partially implemented in Blink (Chromium, Chrome, etc.) and Gecko (Firefox).

Also, Google Cobalt recognizes the suborigin directive.

By the way, there is a bunch of relevant (input-protection) and dropped (input-protection-clip, input-protection-selectors) directives from User Interface Security and the Visibility API, but I don’t know of any software that uses these directives.

Old directives and keywords

Prism supports some directives and keywords, which are dropped from CSP (see the table below).

Token	Introduced in	Removed from
disown-opener	CSP3. WD. 2016-08-01	CSP3. WD. 2018-10-15
referrer	CSP 1.1. WD. 2014-02-11	CSP2. CR. 2015-02-19
reflected-xss	CSP 1.1. WD. 2012-12-13	CSP2. CR. 2015-02-19
'unsafe-hashed-attributes'	CSP3. WD. 2016-06-21	CSP3. WD. 2018-10-15

Gecko still recognizes reflected-xss as a directive, albeit ignored.

Here are some directives and keywords, which are also dropped from CSP and have no support in Prism (see the table below).

Token	Introduced in	Removed from
policy-uri	CSP 1.0. WD. 2011-11-29	CSP 1.0. WD. 2012-07-10
'unsafe-hash-attributes'	CSP3. WD. 2016-04-25	CSP3. WD. 2016-06-21

Blink recognizes policy-uri as a “removed from the specification” directive. Should policy-uri and 'unsafe-hash-attributes' be added for consistency?

Code snippet

The code being highlighted incorrectly.

default-src 'report-sample' 'unsafe-hash-attributes' 'unsafe-hashes';
navigate-to 'unsafe-allow-redirects';
prefetch-src;
script-src-attr;
script-src-elem;
style-src-attr;
style-src-elem;

require-trusted-types-for 'script';
trusted-types foo bar 'allow-duplicates';

suborigin;

input-protection;
input-protection-clip;
input-protection-selectors;

policy-uri https://example.com;

(script-src-attr, script-src-elem, style-src-attr, style-src-elem are partly highlighted due to #2661.)

Questions

1. Should I add new directives and keywords from CSP and Trusted Types?
2. Should I add suborigin?
3. Should I add input-protection?
4. Should I add input-protection-clip and input-protection-selectors?
5. Should I remove directives and keywords, which are dropped from CSP (disown-opener, referrer, reflected-xss, 'unsafe-hashed-attributes')?
6. Should I add directives and keywords, which are dropped from CSP (policy-uri and 'unsafe-hash-attributes')?

[RunDevelopment]

Thank you for doing all this research @edukisto!

I think that Prism should support all keywords and directives that it into a WD or RC of CSP. We can't assume that people only use Prism to highlight the latest version of CSP, so we do have to support some older versions as well. To answer your questions:

1. CSP3, yes. Trusted Types, no. TT is only an Editor's draft right now and "is provided for discussion only and may change at any moment."
2. It's not part of the CSP spec, so no.
3. Yes, and...
4. yes. The UI Security and the Visibility API seems to be fairly official, so let's support it.
5. No, people might want to highlight code containing these tokens, so let's keep them.
6. Yes, please.

[edukisto]

OK.

I forgot to mention 'unsafe-dynamic'.

Token	Introduced in	Removed from
'unsafe-dynamic'	CSP3. WD. 2016-04-25	CSP3. WD. 2016-06-21

[RunDevelopment]

'unsafe-dynamic' can go into Prism as well ;)

[edukisto]

Some notes:

• directive values are case insensitive as well as names;
• in CSP2 hashes and nonces are base64 ([+/\d=A-Za-z]+) values. CSP3 also allows base64url ([-\d=A-Z_a-z]+) values.