Gmail + CSP - a short analysis

On Dec. 16 Googles Gmail-Team proudly announced the use of Content Security Policy (CSP) for GMail, and quite a lot news-outlets are excited, like ElReg titeling: Google bakes W3C malware-buster into Gmail, about this, YaY!

CSP, for those not familiar with it, "is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware." (mdn)

CSP lets site-operator choose from which sources javascript, images, frames, media-objects or css might be loaded and displayed/executed in a browser or to which origins you might connect via XHR or websockets.

CSP 1.0 is a W3C Candidate while v2.0 is already proposed, so this will become an offical standard sooner or later and will (hopefully) add a little more security for users. CSP is supported by the most recent version of all major browsers, and even the mobile devices started to implement it.

CSP is announced through headers from the server to the client, and it's up to the client to enforce that advised policy or ignore it.


screenshot from GMails response (original as of dec 17)

gmail-csp


screenshot from GMails response (new as of as of dec 19)

gmail-csp


Beeing curious i checked GMail's CSP-implementation and was quite suprised to see a Content-Security-Policy-Report-Only - Header. CSP has a neat feature: instead of implementing a policy that might break stuff for users it might be used with some kind of learning-mode: "If you’re just starting out with CSP, it makes sense to evaluate the current state of your application before rolling out a draconian policy to your users. As a stepping stone to a complete deployment, you can ask the browser to monitor a policy, reporting violations, but not enforcing the restrictions. Instead of sending a Content-Security-Policy header, GMail sends a Content-Security-Policy-Report-Only header.

The policy specified in report-only mode won't block restricted resources, but it will send violation reports to the location you specify." html5rocks

This is what Gmail does and it's nothing wrong with it. Instead of enforcing policies that might break the use of Gmail the team decides to monitor the behavior to be able to adjust the implementation. What's wrong are the statements, issued with the blogpost:

"Today, Gmail on the desktop is becoming more secure with support for Content Security Policy (CSP).
...
CSP is just another example of how Gmail can help make your email experience safer. "

If the policy wasnt in Report-Only-Mode but enforced, would that protect you from XSS-Attacks? Well, a little yes and a little more No.

The policy for running javascript, named script-src, would only allow js from the google-controlled resources (see the complete list below) AND unsafe-inline javascript. Why this is considered harmfull explains html5rocks "Origin-based whitelisting doesn’t, however, solve the biggest threat posed by XSS attacks: inline script injection. If an attacker can inject a script tag that directly contains some malicious payload (), the browser has no mechanism by which to distinguish it from a legitimate inline script tag. CSP solves this problem by banning inline script entirely: it’s the only way to be sure."

There are quite some ( 1 2 3, for more examples you might want to ask google ) cases where security-researches were able to insert XSS-code into GMail, and the policies so far, even if enforced wouldnt have prevented these attacks.

So, is the GMail-Team doing it wrong? No. Enforcing CSP without testing would surely break some functions. Allowing only Google-controlled servers and resources is a good step into the right direction: protecting GMail-users from malicious 3rd-party-code and evil extensions or apps. I think it's both legit and elegant to monitor the overall behavior of the CSP-policies BEVORE implementing a final solution, and i hope that Google will share it's results later.

With those activated policies GMail will block malicious browser-based 3rd-party-extensions or apps, and the blogpost states that this was the main goal: "There are many great extensions for Gmail. Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or which compromises your email’s security. Gmail's CSP helps protect you, by making it more difficult to load unsafe code into Gmail." (gmail


GMails CSP en detail (dec 17), now with activated policies

content-security-policy-report-only:

    script-src 'self' 'unsafe-inline' 'unsafe-eval' 
      https://talkgadget.google.com/ 
      https://www.googleapis.com/appsmarket/v2/installedApps/ 
      https://www-gm-opensocial.googleusercontent.com/gadgets/js/ 
      https://docs.google.com/static/doclist/client/js/ 
      https://www.google.com/tools/feedback/ 
      https://s.ytimg.com/yts/jsbin/ 
      https://www.youtube.com/iframe_api 
      https://ssl.google-analytics.com/ 
      https://apis.google.com/_/scs/abc-static/ 
      https://apis.google.com/js/ 
      https://clients1.google.com/complete/ 
      https://apis.google.com/_/scs/apps-static/_/js/ 
      https://ssl.gstatic.com/inputtools/js/ 
      https://ssl.gstatic.com/cloudsearch/static/o/js/ 
      https://www.gstatic.com/feedback/js/ 
      https://www.gstatic.com/common_sharing/static/client/js/ 
      https://www.gstatic.com/og/_/js/;

  object-src https://mail-attachment.googleusercontent.com/swfs/ 
      https://mail-attachment.googleusercontent.com/attachment/;

  frame-src 'self'
      https://ci3.googleusercontent.com/        
      https://accounts.google.com/ 
      https://apis.google.com/u/ 
      https://clients6.google.com/static/ 
      https://content.googleapis.com/static/ 
      https://mail-attachment.googleusercontent.com/ 
      https://www.google.com/calendar/ 
      https://docs.google.com/ 
      https://drive.google.com 
      https://*.googleusercontent.com/docs/securesc/ 
      https://feedback.googleusercontent.com/resources/ 
      https://www.google.com/tools/feedback/ 
      https://*.googleusercontent.com/gadgets/ifr 
      https://talkgadget.google.com/u/ 
      https://talkgadget.google.com/talkgadget/ 
      https://isolated.mail.google.com/mail/ 
      https://www-gm-opensocial.googleusercontent.com/gadgets/ 
      https://plus.google.com/ 
      https://wallet.google.com/gmail/ 
      https://www.youtube.com/embed/ 
      https://clients5.google.com/pagead/drt/dn/ 
      https://clients5.google.com/ads/measurement/jn/ 
      https://www.gstatic.com/mail/ww/ 
      https://clients5.google.com/webstore/wall/ 
      https://apis.google.com/additnow/;


    report-uri /mail/cspreport

GMails CSP en detail (dec 19), now with activated policies

content-security-policy:

  script-src 'self' 'unsafe-inline' 'unsafe-eval' 
    https://talkgadget.google.com/ 
    https://www.googleapis.com/appsmarket/v2/installedApps/ 
    https://www-gm-opensocial.googleusercontent.com/gadgets/js/ 
    https://docs.google.com/static/doclist/client/js/ 
    https://www.google.com/tools/feedback/
    https://s.ytimg.com/yts/jsbin/ 
    https://www.youtube.com/iframe_api 
    https://ssl.google-analytics.com/ 
    https://apis.google.com/_/scs/abc-static/ 
    https://apis.google.com/js/ 
    https://clients1.google.com/complete/ 
    https://apis.google.com/_/scs/apps-static/_/js/ 
    https://ssl.gstatic.com/inputtools/js/ 
    https://ssl.gstatic.com/cloudsearch/static/o/js/ 
    https://www.gstatic.com/feedback/js/ 
    https://www.gstatic.com/common_sharing/static/client/js/ 
    https://www.gstatic.com/og/_/js/;

  object-src 
    https://mail-attachment.googleusercontent.com/swfs/ 
    https://mail-attachment.googleusercontent.com/attachment/;

  frame-src 'self'
    https://ci3.googleusercontent.com/  
    https://accounts.google.com/ 
    https://apis.google.com/u/ 
    https://clients6.google.com/static/ 
    https://content.googleapis.com/static/ 
    https://mail-attachment.googleusercontent.com/ 
    https://www.google.com/calendar/ 
    https://docs.google.com/ https://drive.google.com 
    https://*.googleusercontent.com/docs/securesc/ 
    https://feedback.googleusercontent.com/resources/ 
    https://www.google.com/tools/feedback/ 
    https://*.googleusercontent.com/gadgets/ifr 
    https://talkgadget.google.com/u/ 
    https://talkgadget.google.com/talkgadget/ 
    https://isolated.mail.google.com/mail/ 
    https://www-gm-opensocial.googleusercontent.com/gadgets/ 
    https://plus.google.com/ 
    https://wallet.google.com/gmail/ 
    https://www.youtube.com/embed/ 
    https://clients5.google.com/pagead/drt/dn/ 
    https://clients5.google.com/ads/measurement/jn/ 
    https://www.gstatic.com/mail/ww/ 
    https://clients5.google.com/webstore/wall/ 
    https://apis.google.com/additnow/;

  report-uri /mail/cspreport

References

date: 2014.12
tags: analyse security website

You code … we platform.