Content Security Policy
- 16. How CSP helps?
deliver policy via http header with
information about what is allowed to execute
on your site.
- 17. When we request a webpage, we get a response
that has a header and a body
CSP in the wild
- 25. script-src <script>
object-src <object>, <embed>
style-src <link rel=“stylesheet”>, <style>
img-src <img>, images in css
media-src <audio>, <video>
frame-src <iframe>, <frame>
font-src @font-face
connect-src XMLHttpRequest, JS APIs
- 32. Other Values
*— Anything Goes
none— Nothing Goes
url— can specify ports, protocols,
wildcards, etc
http://content-security-policy.com/
- 39. mitigate XSS
…a more complete plan
* move inline script out-of-line
* remove inline event handlers
* Remove use of eval and friends
(not as big)
* Add the script-src directive
- 41. Wanna try it out?
Try report only
mode and tweak
as you go