Content Security Policy (CSP) allows web site administrators to control resources the user agent is allowed to load for a given page. It's an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. We learn what they are and how to used them.
2. About me
HI I’M PHILIPPE
I’m a Senior Application
Security Analyst at Lightspeed.
Long-time internet developer,
author, screen caster, podcaster
and speaker. I’m specializes in
PHP, Symfony, Kuzzle, security,
code quality, performance, real
time and geolocation.
Sécurité PHP 5 et MySQL 5
OWASP Montreal
PHP Quebec
Table Top Game Developer
Pen & Paper RPG Writer
3. Purpose of the presentation
Improve the code of your website
Protect your site against certain attacks
Protect your users from certain attacks
This is part 2 of Browser Serving Your Web Application Security
4. What is it?
Added layer of security that helps to detect and mitigate certain types of attacks,
including Cross Site Scripting (XSS) and data injection attacks.
Available as :
HTTP Header
Meta Element
5. 3 level of specification
Specification 1.0 Recommendation
http://w3c.org/TR/CSP1
Specification 2.0 Recommendation
http://w3c.org/TR/CSP2
Specification 3.0 Working Draft
http://w3c.org/TR/CSP3
6. Compatibility
Android Chrome Edge Firefox Internet Explorer Opera Safari
Recommendation 1 4.4+ 25+ 12+ 23+ 11+ 7+
Recommendation 2 53+ 40+ 15+ 31+ (partial) 27+ 10+
Working Draft 3 59+ 59+ 58+ 48+
7. Server Side Examples
#apache
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';" # alway set header
Header setifempty Content-Security-Policy "default-src 'self';" # set header if empty
</IfModule>
#nginx
map $upstream_http_content_security_policy $csp {
'' default-src 'self';
}
server {
location / {
add_header Content-Security-Policy $csp;
}
}
18. Fetch Directives Values
Schemes CSP 1 CSP 2 CSP 3 Comments
https: ✓ ✓ ✓
http: ✓ ✓ ✓ Should not be used anymore. All sites should be HTTPS.
data: ✓ ✓ ✓ Insecure. Do not used if possible.
mediastream: ✗ ✓ ✓ Media Capture and Streams API
blob: ✗ ✓ ✓ Represents a file-like object of immutable, raw data.
filesystem: ✗ ✓ ✓ Not Standard API FileSystem
29. Sandbox Values
Values CSP 1 CSP 2 CSP 3 Comments
allow-forms ✓ ✓ ✓ Allows to submit forms.
allow-modals ✓ ✓ ✓ Allows to open modal windows.
allow-orientation-lock ✓ ✓ ✓
Allows to disable the ability to lock the
screen orientation.
allow-pointer-lock ✓ ✓ ✓ Allows to use the Pointer Lock API.
allow-popups ✓ ✓ ✓ Allows popups.
allow-popups-to-escape-sandbox ✗ ✗ ✓
Allows a sandboxed document to open
new windows without forcing the
sandboxing flags upon them.
30. Sandbox Values
Values CSP 1 CSP 2 CSP 3 Comments
allow-presentation ✓ ✓ ✓
Allows to have control over whether
an iframe can start a presentation
session.
allow-same-origin ✓ ✓ ✓
Allows to be treated as being from its
normal origin.
allow-scripts ✓ ✓ ✓ Allows to run scripts.
allow-top-navigation ✓ ✓ ✓ Allows to navigate.
33. Report Directives
Directives CSP 1 CSP 2 CSP 3 Comments
report-uri ✓ ✓ ✓ Deprecated. But replacement not supported yet.
report-to ✗ ✗ ✓
Replace report-uri, but not supported. If a browser
support report-to, it will be used instead of report-uri.
Meta/Header
• Content-Security-Policy-Report-Only
https://report-uri.com/
38. About SRI
Protect Imported Files Integrities
Verify extracted files are delivered without unexpected manipulation.
Uses a cryptographic hash.
<script>, <link>
Base64 of
Sha256
Sha384
sha512