Inconsistency: Default `content_security_policy`

[carlosjeurissen]

Background

Currently no good documentation is present on what the default content_security_policy is for every context (extension_pages, content_scripts and sandbox). This is a must when composing a custom CSP, especially when default-src is not set.

Firefox documentation gives:
script-src 'self'; object-src 'self';
See: MDN Docs

Chrome documentation gives:
default-src 'self'; connect-src * data: blob: filesystem:; style-src 'self' data: 'unsafe-inline'; img-src 'self' data:; frame-src 'self' data:; font-src 'self' data:; media-src * data: blob: filesystem:;
See: Chrome Docs. However, this seems to only apply to the legacy Chrome Apps.

Also no info is present on what the default is in MV3 or if it differs from MV2.

Action items

• Have an overview of each default CSP in each context for each browser and manifest_version
• Streamline the default CSP across browsers

Proposals

1. To best showcase what an extension does, how it's permissions are used and to decrease the attack surface with security vulnerabilities, requiring default-src in custom CSP could be proposed.
2. Have a default CSP (either as replacement or in addition to the above default) which won't be overridden by the extension custom CSP which will function next to the custom CSP. This could make restrictions more understandable / technically implementable.

See also:

• Inconsistency: custom content_security_policy browser restrictions #99

[Rob--W]

The documentation that you've linked for Chrome is specific to Chrome apps, and the source code confirms that this is Chrome app-specific: https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc;l=44;drc=2d18bf1fec6017d20ced5b6110fdbfc8a342ebb5

Extensions have a default CSP similar to Firefox: https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc;l=33;drc=ce6c3b02c5cc847a3febdef23416e1ae7feaa9f9

[bradcush]

Linking this specific Chromium bug related to WASM support and the extension specific wasm-eval directive. https://bugs.chromium.org/p/chromium/issues/detail?id=1173354#c48 As mentioned, with the most recent updates in Chrome when run with the flag --enable-features=AllowWasmInMV3, wasm-eval can now be specified but WASM works as well now with no CSP specified whether the extension is run as MV2 or MV3.

[Rob--W]

Chrome has landed a patch that changed the default CSP to script-src 'self' 'wasm-unsafe-eval'; object-src 'self'; (https://bugs.chromium.org/p/chromium/issues/detail?id=1173354#c60).

Firefox is about to support 'wasm-unsafe-eval' too, but will only include 'wasm-unsafe-eval' in MV2's default CSP, and removes it from the MV3 CSP.

I have filed two follow-up bugs to work towards the resolution of the differences:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1766027
• https://bugs.chromium.org/p/chromium/issues/detail?id=1318922

P.S. As noted in the Chromium report, there is not that much point in requiring object-src, because plugin support has been dropped from browsers. We may as well remove object-src from the default CSP to clean up the platform.

[rdcronin]

Hi folks!

We're looking into this (Extension CSP) on the Chrome side to address a number of outstanding issues we have. I'd like to see if we can align with other browser vendors where possible.

I've written up a doc with a proposal here:
https://docs.google.com/document/d/1m82BcCPWDTEzy1R6gbCbUwe-ma-bCTTF_JwRnt3O_IA/edit#heading=h.uvfu5unrnahu

(World-viewable, feel free to request comment access.)

Please let us know what you think.

[carlosjeurissen]

@rdcronin Thanks so much! Good to see this! Can you grant comment access? (As far as I know requesting comment access directly in Google Docs is not possible at this moment)

[rdcronin]

We've had issues in the past with various spam when opening up comments to anyone on the web with the link — for anyone who wants access, go ahead and request edit access and I'll grant comment access to the email address from the request.

(Separately, @dotproto , can we create a WECG Google Group so that we can easily share docs with that alias?)

[dotproto]

@rdcronin, I started looking into this. I've created a Google Group, but I think I will need W3C assistance to populate and maintain the group's members. Reaching out now.

[rdcronin]

I've seen (and responded to) Rob's comments on the doc; does anyone else have concerns with the proposed approach?