Document "strict CSP" and recommend it over allowlists

[wbamberg]

The articles about CSP from both OWASP and web.dev recommend that developers use what they call a strict CSP, which uses nonces and/or hashes in script-src instead of an allowlist.

According to these articles, strict CSP is likely to be more secure than an allowlist, and is also much easier to maintain than an allowlist, as this netlify article discusses.

There are 2 guides to CSP on MDN, that I could find:

• the main one: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP doesn't mention nonces or hashes at all
• another one at https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP mentions nonces only as a way to "ease adoption on legacy sites" that include inline scripts

(aside, I'm not sure of the value of having two guides here)

We should update these guides to talk about strict CSPs. There are really 2 options:

1. just present strict CSP as another approach, and describe its advantages
2. actively recommend strict CSP, as the web.dev and OWASP articles do

We talked about this in the SWAG CG meeting and it was felt that the second, more opinionated, approach was more useful.

This work should help contribute to w3c-cg/swag#3.

[hamishwillee]

FWIW:

• Actively recommending strict CSP makes sense to me.
• We can still talk about allowlists as an option, in particular there are likely to be cases where generating nonces is hard and managing allowlists becomes the pragmatic option. For example, if it became necessary to use a cross site resource on a static site?
• You made a point elsewhere that generating nonces really requires some framework support to be broadly achievable, so we need to talk about that.
• (aside, I'm not sure of the value of having two guides here). It would be better to have one. I thought this one was a bit thin - https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP - I like the idea of practical guidance as a section in the other document.

[wbamberg]

Thanks for the comments Hamish!

We can still talk about allowlists as an option,

Yes, for sure.

in particular there are likely to be cases where generating nonces is hard and managing allowlists becomes the pragmatic option. For example, if it became necessary to use a cross site resource on a static site?

In cases like this the guidance is to use a hash instead, because you can then serve it statically (the hash is always the same, unlike the nonce).

(aside, I'm not sure of the value of having two guides here). It would be better to have one. I thought this one was a bit thin - https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP - I like the idea of practical guidance as a section in the other document.

I might get around to this in the scope of this issue :).