CSP

Transcript

1. csp ben toews github

2. the problem

3. None

4. <script>alert(123)</script>

5. the old fix

6. &lt;script&gt;alert(123)&lt;/script&gt;

7. the problem

8. None

9. <script>alert(123)</script>

10. the new fix

11. csp

12. <a onclick=‘doit()’>123</a>

13. <a onclick=‘doit()’>123</a>

14. <a href=‘javascript:doit()’>123</a>

15. <a href=‘javascript:doit()’>123</a>

16. <a style=‘display: block’>123</a>

17. <a style=‘display: block’>123</a>

18. csp = no javascript + no css = 1995?

19. csp = source whitelisting!

20. X-Content-Security-Policy: default-src *; script-src https://github.com https://a24 8.e.akamai.net https://jobs.github.com h ttps://ssl.google-analytics.com

    https://s ecure.gaug.es https://gist.github.com; s tyle-src https://github.com https://a248. e.akamai.net https://jobs.github.com htt ps://ssl.google-analytics.com https://sec ure.gaug.es https://gist.github.com 'uns afe-inline'; report-uri /errors Content-Se curity-Policy: default-src *; script-src htt ps://github.com https://a248.e.akamai.ne

21. Content-Security-Policy: X-WebKit-CSP: X-Content-Security-Policy:

22. default-src

23. script-src

24. style-src

25. object-src

26. img-src

27. media-src

28. frame-src

29. font-src

30. connect-src

31. Content-Security-Policy: img-scr ‘none’

32. Content-Security-Policy: img-scr ‘self’

33. Content-Security-Policy: img-scr ‘unsafe-inline’

34. Content-Security-Policy: img-scr ‘unsafe-eval’

35. Content-Security-Policy: img-scr https://me.com:443

36. ity-Policy: img-scr https:

37. ity-Policy: img-scr me.com

38. ity-Policy: img-scr *.me.com

39. ity-Policy: img-scr https://me.com

40. ity-Policy: img-scr me.com:443

41. Content-Security-Policy: default-src ‘self’; object-src h ttps://youtube.com; img-src http://foo.akami.com https://bar.akami.com;

42. report-uri

43. { "csp-report": { "document-uri": "https://github.com/", "referrer": "", "blocked-uri": "self", "violated-directive":

    "eval script base restriction", "source-file": "chrome://firebug/content/co...", "script-sample": "call to eval() or related...", "line-number": 166 } }

44. the end...