Content Security Policy 'unsafe-inline' in manifest.json

edited July 2019 in 1Password X

Following up on this advice from Raymond Hill (AKA gorhill of uBlock Origin), please investigate feasibility / LOE for removing the 'unsafe-inline' value from the 'style-src' clause of the Content Security Policy in the manifest.json included with the Chrome extension (and probably others?)

On my system, the current content_security_policy value is set to (emphasis mine):

"content_security_policy": "default-src 'self'; img-src 'self' https://c.1password.com https://a.1passwordentusercontent.com https://a.1passwordusercontent.com https://a.1passwordusercontent.eu https://a.1passwordusercontent.ca; connect-src https://.1password.com wss://b5n.1password.com wss://b5n.ent.1password.com https://.b5test.com wss://b5n.b5test.com https://.b5dev.com wss://b5n.b5dev.com https://.b5local.com:3000 wss://b5local.com:3001 https://.1password.ca wss://b5n.1password.ca https://.1password.eu wss://b5n.1password.eu https://api.pwnedpasswords.com https://f.1passwordusercontent.com https://f.1passwordentusercontent.com https://f.1passwordusercontent.eu https://f.1passwordusercontent.ca; frame-src https://www.youtube.com; style-src 'self' 'unsafe-inline';",


1Password Version: Not Provided
Extension Version: 1.15.6_0
OS Version: Ubuntu
Sync Type: n/a

Comments

  • Update: also, since blob: and filesystem: are both whitelisted by default within script-src, please also configure both of these to explicitly control remote code execution.

  • MitchMitch

    Team Member
    edited July 2019

    Thanks for following up with us about this, @tychotithonus.

    I agree with you and Raymond that we should remove anything named "unsafe" from our content security policy. Browser extensions have plenty of trust problems, and developers make things worse when we don't use the security tools available to us.

    Our CSP is pretty strict as far as they go. Namely, we forbid unsafe-eval and unsafe_inline for scripts. I don't want to put words in Raymond's mouth, but I took his concern to apply primarily to the script-src directive, as that is the mechanism exploited by his example (and so many others out there in the wild). We would never ship a browser extension that permitted remote code execution. We feel as strongly about this as Raymond does.

    Still there are grey areas like style-src: self unsafe-inline. In our case, this directive allows us to apply dynamic styles and animations to parts of our user interface that can't easily be manipulated with classes or data attributes. But it was added several years ago and now is a good time to revisit it.

    (Your points about blob: and filesystem: are also good . We do use blob: and our Firefox manifest lists it explicitly, as required, but we can be explicit here in Chrome as well.)

    Thank you for pushing us to try harder here. I'll be celebrating along with you when we remove every instance of "unsafe" from our CSP for good.

    Have a good weekend!
    Mitch

  • You're a good sport, sir - thanks for considering this!

  • Matthew_1PMatthew_1P

    Team Member

    On behalf of Mitch, you're very welcome @tychotithonus! If you need anything else then we're here for you :smile:

This discussion has been closed.