Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Cross-Site Scripting with Content Security Policy

Francois Marier
March 07, 2012
Programming
1
120

Defeating Cross-Site Scripting with Content Security Policy

How a new proposed HTTP response header can help increase the depth of your web application defenses.

Francois Marier

March 07, 2012
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
260
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
250
Hardening Firefox for Privacy and Security
fmarier
0
910
Security and Privacy on the Web in 2016
fmarier
0
180
Privacy and Tracking Protection in Firefox
fmarier
0
220
Security and Privacy on the Web in 2015
fmarier
0
180
Security and Privacy on the Web in 2015
fmarier
0
160
Integrity protection for third-party JavaScript
fmarier
1
710
URL to HTML
fmarier
1
240

Other Decks in Programming

See All in Programming
Elm Form Validation
bkuhlmann
0
510
VS Code をプロダクトにどう取り込むか
onomax
1
350
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
520
Git Rebase
bkuhlmann
11
1.6k
GitHub Copilotのススメ
marcy731
0
190
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
260
Goのエラースタックトレースの歴史と今後
sonatard
6
740
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
820
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
640
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
23
15k
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
110
Git Lint
bkuhlmann
4
750

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
36
2.1k
Bash Introduction
62gerente
604
210k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
What's in a price? How to price your products and services
michaelherold
237
11k
In The Pink: A Labor of Love
frogandcode
138
21k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Practical Orchestrator
shlominoach
181
9.7k
StorybookのUI Testing Handbookを読んだ
zakiyama
12
4.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Navigating Team Friction
lara
177
13k
Six Lessons from altMBA
skipperchong
20
3k
We Have a Design System, Now What?
morganepeng
42
6.7k

Transcript

  1. Defeating cross-site scripting with Content Security Policy Francois Marier <[email protected]>

  2. what is a cross-site scripting (aka “XSS”) attack?

  3. None
  4. None
  5. None
  6. None

  7. preventing XSS attacks

  8. print <<<EOF <html> <h1>$title</h1> </html> EOF;

  9. $title = escape($title); print <<<EOF <html> <h1>$title</h1> </html> EOF;

  10. templating system

  11. page.tpl: <html> <h1>{title}</h1> </html> page.php: render(“page.tpl”, $title);

  12. auto-escaping turned ON

  13. page.tpl: <html> <h1>{title|raw}</h1> </html> page.php: render(“page.tpl”, $title);

  14. auto-escaping turned ON != escaping always ON

  15. browser default = allow all the real problem:

  16. None

  17. a way to get the browser to enforce the restrictions

    you want on your site

  18. $ curl --head https://www.libravatar.org/ X-Content-Security-Policy: default-src 'self' ; img-src 'self'

    data

  19. $ curl --head https://www.libravatar.org/account/login/ X-Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ; frame-src 'self' https://browserid.org ; script-src 'self' https://browserid.org

  20. $ curl --head http://fmarier.org/ X-Content-Security-Policy: default-src 'none' ; img-src 'self'

    ; style-src 'self' ; font-src 'self'

  21. <object> <script> <style> <img> <audio> & <video> <frame> & <iframe>

    <font> WebSocket & XMLHttpRequest

  22. >= 4 >= 13 >= 10 >= 5

  23. what does a CSP-enabled website look like?

  24. None
  25. None

  26. unless explicitly allowed by your policy inline scripts are not

    executed
  27. None
  28. None

  29. unless explicitly allowed by your policy external resources are not

    loaded

  30. preparing your website for CSP (aka things you can do

    today)

  31. eliminate inline scripts and styles

  32. <script> do_stuff(); </script>

  33. <script src=”do_stuff.js”> </script>

  34. eliminate javascript: URIs

  35. <a href=”javascript:go()”> Go! </a>

  36. <a id=”go-button” href=”#”> Go! </a> var button = document.getElementById('go-button'); button.onclick

    = go;

  37. add headers in web server config

  38. <Location /some/page> Header set X-Content-Security-Policy "default-src 'self' ; script-src 'self'

    http://example.org" </Location>

  39. not a replacement for proper XSS hygiene

  40. great tool to increase the depth of your defenses

  41. Spec: http://www.w3.org/TR/CSP/ HOWTO: https://developer.mozilla.org/en/Security/CSP Copyright © 2012 François Marier Released

    under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence fmarier fmarier

  42. Credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/