Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating Cross-Site Scripting with Content Security Policy (updated)

Defeating Cross-Site Scripting with Content Security Policy (updated)

How a new HTTP response header can help increase the depth of your web application defenses.

Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.

Francois Marier

January 29, 2013
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. $ curl --head https://example.com/login Content-Security-Policy: default-src 'self' ; img-src 'self'

    data ; frame-src 'self' https://login.persona.org ; script-src 'self' https://login.persona.org
  2. <object>, <applet> & <embed> <script> <style> & <link> <img> <audio>,

    <video>, <source> & <track> <frame> & <iframe> @font-face WebSocket, EventSource, & XMLHttpRequest
  3. $ curl --head https://login.persona.org HTTP/1.1 200 OK Vary: Accept-Encoding,Accept-Language Cache-Control:

    public, max-age=0 Content-Type: text/html; charset=utf8 Strict-Transport-Security: max-age=2592000 Date: Thu, 16 Aug 2012 03:29:19 GMT ETag: "2943768d6a45793897e83bf8804cd711" Connection: keep-alive X-Frame-Options: DENY Content-Length: 5374
  4. Photo credits: Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/ Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/ Castle walls:

    https://secure.flickr.com/photos/rdale/585105348/ Wash hands: https://secure.flickr.com/photos/hygienematters/4504612019/ Copyright © 2013 François Marier Released under the terms of the Creative Commons Attribution Share Alike 3.0 Unported Licence