My first post so I'll intro myself a little bit.
I'm not a web designer/coder. I've dabbled in php for years but this is my first real project other than simple display.
The project is inspired by
http://people.mozilla.org/~bsterne/content-security-policy/
My goal is to implement it server side through a class that acts as a post filter.
Obviously it is not going to be as good as a real browser based CSP solution because a policy allowed script could modify the DOM to add stuff the policy would reject, and there's no way to catch that server side.
But I hope my output filter will eventually be good enough to catch and remove anything in the sent document that would trigger CSP on a CSP enabled client.
Here's the current version of the class file:
http://homepage.mac.com/mpeters/misc/cspfilter_class.php.txt
It does require that the document be fully created and in a DOMDocument object (use DOMDocument's loadHTML() for well formed html, use loadXHM() for well formed xhtml)
basic usage - where $foo is your DOMDocument object
this example assumes you want to allow images, script, and object tags
$bar = new cspfilter;
$bar->httphost = "www.example.net";
$bar->csp['allow'] = "none"; // that's default but not bad idea to explicitly state
$bar->csp['img-src'] = "images.example.net *.photobucket.com";
$bar->csp['script-src'] = "scripts.example.net";
$bar->csp['object-src'] = "self";
$bar->inputDom($foo);
$bar->processData();
// defaults to false which creates meta tag instead of header
$bar->cspHeader = true;
$bar->makeCSP(); // sends the header or adds meta tag to document head
// now we've sent the CSP header - send the page
print $foo->saveHTML(); // use saveXML() for xhtml
I've done a little testing of the class on my own project that I'm building, but I have not tested it heavily.
I'm going out of town this weekend, but when I get back I hope to create a test case page that let's anyone select what csp options they want to enforce (and specify what hosts to allow), enter raw html into a textarea, and submit it - with the raw html being placed in a div under the textarea. I'll obviously have to do a little input filtering in order to ensure the raw html is valid and can be imported into the DOM object, but anyway - that playground to find bugs may take a little while.
However, since I'm neither a php coder by trade nor an expert security, I would really appreciate any feedback possible on the class.
One thing to note - I believe the current CSP recommendation wants no event attributes at all. My output filter does allow white listing of event handlers, but it does not allow arguments in function (IE if you whitelist onload, <body onload="alert('foo');"> would be filtered to <body onload="alert();">
For my web app I'm building, I really do need onload, onchange, and onsubmit. Yes, the webapp works w/o scripting but the user experience with the scripting.
-=-
I know requiring the html to be fully constructed before a line of it is sent will mean many existing project would not be able to use the filter, but it seems quite a few templating systems do just that - so loadHTML() is all it would take to prepare the output for the output filter.
Again, I appreciate any and all feedback. I've learned a lot from Rsnake's blog and I've learned a lot from reading this forum.
