11 document directives ● base-uri ○ allowed url for ● plugin-types ○ allowed media type for / ● sandbox ○ behave like sandbox iframe ● disown-opener ○ behave like noopener
14 CSP keywords ● ‘self’ ○ only from Same Origin ● ‘none’ ○ from everywhere ● ‘unsafe-inline’ ○ allow / <style><br/>● ‘unsafe-eval’<br/>○ allow `eval()` in JS<br/>● ‘strict-dynamic’<br/>○ specify nonce of script<br/>● ‘unsafe-hashed-attributes’<br/>○ specify a hash of inline script<br/>
No more Escape Input ? ● only checking a Policy , not Attack ○ in policy has a hole, It may have incident ○ no implement of CSP on old browser ● do Security thing, and adding CSP for cover ○ if security hall exists, block the attack 17
Report doesn’t tells me about attack ● you can know WHAT happened ○ document uri ○ violated policy ● you can’t know WHY happened ○ attack ? or not ? ● you can’t know WHAT result to USER ○ ad image not displayed ? ○ can’t read the article ? 21
Too strict to deploy immediate ● Hard to make sure your policy right ○ crowring with browser on staging ● Real World Problems ○ every user use each browser with variaus setting ● Deploy in production immediately ? ○ bad experience for user ? ○ it’s wose than blocking attack ? 23
CSP-Report-Only ● only sending report ○ find out WHAT happened only ● rolling out to remove report-only ○ after finish testing policy ○ but I think it’s optional ○ finding what happened is enought for integration 24
blog.jxck.io 26 ● basically static contents only ○ no ○ no Dynamic Generated ○ no CDN ● potentially no XSS ○ violation by Non XSS Attack ○ or attack not expected
38 Steroid (powerful but…) ● Blog for Engineer ○ bookmarklets, extentions, localproxy etc ○ user nomary arrange contents by themself ● Almost all seems Not Attack ○ really need to block them ? ○ safe ? incombenience ? ● Protected / Clippled ○ depends for contents ○ Github / Twitter etc
Finding Mixed Contents 40 ● Mixed Contents ○ HTTP subresource in HTTPS ○ can’t ensure falsify by MITM ○ no green URL bar ● Active ○ Possible to modify outer DOM (script, iframe etc) ○ Blocked ● Passive ○ Impossible to modify outer DOM (img, video, audio etc) ○ Error but not blocked
HTTPS Everywhere vs Mixed Contents 41 ● case of Mixed Contents ○ Consumer Generated Media ○ Ad ○ Legacy Hard Coded URL ● if Mixed ○ insecure url bar ○ broken contents ○ invisible Ad
Upgrade-Insecure-Request 42 ● fetch http:// url as https:// ○ 404 if not supported ○ never mixed contents ● avoid mixed only one header ○ no modify contents ○ find mixed by 404 in server access.log Content-Security-Policy: Upgrade-Insecure-Requests
45 report-uri.io ● not recommended (in production) ○ bad UI ○ bad response at sending Report ○ can’t see data before half year ○ can’t see HTTP header ○ can’t export your data ● do yourself ○ simple POST endpoint for JSON ○ kibana, grafana, big query etc ○ Google Analytics support are welcome :)
HTTP Public Key Pinning 47 ● pin a hash of public key ○ avoide CA incident ● hard to deploy ○ backup pin Public-Key-Pins: pin-sha256=”#{hash-of-public-key}”