Content Security Policy (CSP) is Growing Up.
We have talked here about Content Security Policy (CSP) in the past. CSP is trying to tackle a pretty difficult problem. When it comes to cross-site-scripting (XSS), the browser and the user is usually the victim, not so much the server that is susceptible to XSS. As a result, it makes a lot of sense to add protections to the browser to prevent XSS. This isn't easy, because the browser has no idea what Javascript (or other content) to expect from a particular site. Microsoft implemented a simple filter in IE 8 and later, matching content submitted by the user to content reflected back by the site, but this approach is quite limited.
CSP is an attempt to define a policy informing the browser about what content to expect from a site. Initially, only Firfox supported CSP. But lately, CSP has evolved into a standard, and other browsers started to implement it [1]. The very granular langauge defined by CSP allows sites to specify exactly what content is "legal" on a particular site.
Implementing CSP on a new site isn't terrible hard, and may actually lead to a cleaner site. But the difficult part is to implement CSP on existing sites (like this site). Sites grow "organically" over the years, and it is difficult to come back later and define a policy. You are bound to run into false positives, or your policy is relaxed to the point where it becomes meaningless.
Luckily, CSP has a mechanism to help us. You are able to define a "Report URL", and browsers will report any errors they encounter to said URLs. The reports are reasonably easy to read JSONÂ snippets including the page that caused the problem, the policy they violated, and even an excerpt from the part of the page that caused the problem.
Recently, a few nice tools have cropped up to make it easier to parse these reports and build CSPs. For example Stuart Larsen implemented "CASPR" [2], a plugin for Chrome that was built to create CSPs and to analyze the reports. Tools like this make implementing CSPs a lot easier.Â
Any other tools or resources you like to help implementing CSPs?
Update: We got a couple of additional resources in via Twitter:
Using "Virtual Patching" to implement CSP on your Web Application Firewall
Twitter account focusing on CSP:Â http://twitter.com/SeeEssPee
Thanks to @imeleven for pointing out that Firefox was the first browser to support CSP. He also pointed to this slide deck:Â http://www.slideshare.net/imelven/evolving-web-security-model-v11-portland-owasp-may-29-2014
â??
Â
[1]Â http://www.w3.org/TR/CSP/
[2] http://caspr.io
Â
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
- Extensions can be sandboxed by local CSP policy
- A web site can profile users' installed extensions
With all browsers, certain spyware, greasemonkey-type scripts, and man-in-the-browser malware can be identified and blocked.
I also found this very interesting: http://homakov.blogspot.com/2014/01/using-content-security-policy-for-evil.html
Anonymous
Sep 11th 2014
1 decade ago
See http://brianmayer.com/2012/12/defeating-chromes-content-security-policy-header-via-a-chrome-extension/
Anonymous
Sep 17th 2014
1 decade ago
If you want to bypass CSP, you can also use netcat as a browser, or any browser that doesn't support CSP. It doesn't defend against malicious users, it defends users from becoming the victims.
Anonymous
Sep 17th 2014
1 decade ago