SlideShare a Scribd company logo

Content Security Policy

Ryan LaBouve
Ryan LaBouve

CSP is a security policy that helps prevent cross-site scripting attacks by whitelisting sources of approved scripts, styles, fonts, and other assets. It works by delivering a policy via HTTP headers that specifies allowed/blocked content. The policy uses directives like script-src, style-src, and font-src to control which elements can load assets from various sources like self, unsafe-inline, or specific domains. Implementing CSP involves starting with a restrictive policy and gradually expanding allowed sources as needed while balancing security and functionality.

Related slideshows

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
1 of 43
Download to read offline
Content Security Policy featuring ember.js
WHOAMI Ryan LaBouve (@ryanlabouve)
Content Security Policy
HOLYARCHERS
RyanLaBouve.com
Thinking about a new side-project
Fire up `ember new`
(wait on NPM and Bower)
`ember serve`
Sparkling new project!
But wait!?!?
ENTER CSP Content-Security-Policy: ‘take-that.xss’
What is Content Security Policy?
XSS Mitigation Strategy using a whitelist based approach.
What is XSS? people trying to execute malicious (usually?) javascripts on your page.
How CSP helps? deliver policy via http header with information about what is allowed to execute on your site.
When we request a webpage, we get a response that has a header and a body CSP in the wild
Response body (has the html/css/js)
Response Header has (various meta-data)
CSP in the wild
How to implement and customize CSP
Series of Directives
default-src script-src*** object-src style-src img-src media-src frame-src font-src connect-src (script-src key directive for blocking scripting)
Each attached to HTML elements
script-src <script> object-src <object>, <embed> style-src <link rel=“stylesheet”>, <style> img-src <img>, images in css media-src <audio>, <video> frame-src <iframe>, <frame> font-src @font-face connect-src XMLHttpRequest, JS APIs
self none * unsafe-inline unsafe-eval example.url.com Values to Describe Policy
Space delimited sources to match http header syntax semi colon end of line About the Values
self Anything you’re including locally
unsafe-inline Anything happening by your content Better to “separate code and data” This includes inline event handlers
unsafe-eval setTimeout eval not as big a deal as unsafe inline
Custom Templates Not executing. No problem.
Other Values *— Anything Goes none— Nothing Goes url— can specify ports, protocols, wildcards, etc http://content-security-policy.com/
A few quick examples:
Serve nothing at all
Serve everything ever
Only serve local assets … a good starting spot
Build up slowly as needed
Focus on script-src …especially if you’re worried mostly about XSS
mitigate XSS …a more complete plan * move inline script out-of-line * remove inline event handlers * Remove use of eval and friends (not as big) * Add the script-src directive
Report only, callback url, block Options for Enforcing
Wanna try it out? Try report only mode and tweak as you go
Browser Compatibility Issues
Resources http://www.html5rocks.com/en/tutorials/security/content- security-policy/ https://developer.chrome.com/extensions/contentSecurityPolicy http://en.wikipedia.org/wiki/Content_Security_Policy https://www.youtube.com/watch?v=pocsv39pNXA https://blog.justinbull.ca/ember-cli-and-content-security-policy- csp/

More Related Content

Content Security Policy