4. is a new addition to the web platform that promises to
mitigate the risk of XSS attacks by giving admins control over the
data and code to be allowed to run on their site.
Another layer to a website's defenses: browser-enforced
restrictions against external resources or unauthorized scripting.
Extra response header instructs browsers to enforce a policy.
Involves deciding what policies you want to enforce, and then
configuring them and using X-Content-Security-Policy to
establish your policy.
5. : best used as defense-in-depth.
: declarative policy that lets admins inform the client about
the sources from which the application expects to load resources.
Mitigate XSS: Applications can declare that it only expects scripts
from trusted sources.
Allows the client to detect and block malicious
scripts injected into the application by an
attacker.
6. Often a non-trivial amount of work required to apply to an
existing web application.
Move all inline scripts and style out-of-line.
7. Applications opts into using by supplying a Content-
Security-Policy HTTP header.
To supply a policy for an entire site, the server needs to supply a
policy with each resource representation
8. You can use the X-Content-Security-Policy HTTP header to specify
your policy, like this:
X-Content-Security-Policy: policy
The policy is a string containing the policy directives describing
your Content Security Policy.
9. Common scenarios when writing your security policy
10. All content to come from the site's own domain, excluding even
subdomains.
X-Content-Security-Policy: default-src 'self'
Allow content from a trusted domain and all its subdomains.
X-Content-Security-Policy: default-src 'self' *.mydomain.com
11. Allow users of a web application to include images from any
domain in their custom content, but to restrict audio or video
media to come only from trusted providers, and all scripts only to
a specific server that hosts trusted code.
X-Content-Security-Policy: default-src 'self'; img-src *; media-src
media1.com media2.com; script-src userscripts.example.com
Content is only permitted from the document's original host, with
the following exceptions:
Images may loaded from anywhere (note the "*" wildcard).
Media is only allowed from media1.com and media2.com (and not from
subdomains of those sites).
Executable script is only allowed from userscripts.example.com.
12. Ensure content is loaded using SSL.
X-Content-Security-Policy: default-src https://onlinebanking.jumbobank.com
Server only permits access to documents being loaded specifically over
HTTPS through the single domain onlinebanking.jumbobank.com.
Allows HTML in email, as well as images loaded from anywhere,
but not JavaScript or other potentially dangerous content.
X-Content-Security-Policy: default-src 'self' *.mailsite.com; img-src
13. Server delivers the policy to the user agent via an HTTP response
header.
Content-Security-Policy Header Field
Content-Security-Policy header field is the preferred mechanism for
delivering a CSP policy.
"Content-Security-Policy:" 1#policy
Server may send more than one HTTP header field named Content-
Security-Policy with a given resource representation.
A server may send different Content-Security-Policy header field
values with different representations of the same resource or with
different resources.
Receiving an HTTP response containing at least one Content-Security-
Policy header field, the user agent enforces each of the policies
contained in each such header field.