Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CSP
Search
Ben Toews
January 10, 2013
Technology
310
7
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
CSP
Content Security Policy
Ben Toews
January 10, 2013
More Decks by Ben Toews
See All by Ben Toews
GitHub AppSec: Keeping up with 111 prolific engineers
mastahyeti
0
130
The sky is falling: Nephological tales of security woe
mastahyeti
0
50
State of the Union: Advances in Web Application and Browser Security
mastahyeti
2
120
Other Decks in Technology
See All in Technology
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
5.3k
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
2
270
凡エンジニアがこの先生きのこるためには。〜TypeScript完全に理解したい〜
alchemy1115
2
180
10年目を迎えた「ABEMA」がどのように AI 活用を推進して、AI 駆動開発にシフトしているのか / How ABEMA, entering its 10th year, is promoting the use of AI and shifting toward AI-driven development
miyukki
0
130
Claude Code公式skillで 自分の仕事を少しずつ手放そう!(Claude Code開発ノウハウ大公開スペシャル by クラスメソッド)
kaym
1
300
AIと共生する開発者プラットフォーム:バクラクのモノレポ×マイクロサービス基盤
sakajunquality
2
3.4k
ruby.wasmとPicoRuby.wasmに対応した仮想DOMライブラリを作ってる話 #kaigieffect_kaigi
sue445
PRO
0
140
アカウントが増えてからでは遅い? ~ マルチアカウント統制の勘所 ~
kenichinakamura
0
230
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
180
穢れた技術選定について
watany
4
400
KiCAD講習会②
tutcreators
0
110
世界、断片、モデル。そして理解
ardbeg1958
1
110
Featured
See All Featured
Leo the Paperboy
mayatellez
8
1.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
270
14k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
Darren the Foodie - Storyboard
khoart
PRO
3
3.4k
We Are The Robots
honzajavorek
0
270
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
First, design no harm
axbom
PRO
2
1.2k
Designing for Timeless Needs
cassininazir
1
320
Designing Powerful Visuals for Engaging Learning
tmiket
1
450
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
970
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Transcript
csp ben toews github
the problem
None
<script>alert(123)</script>
the old fix
<script>alert(123)</script>
the problem
None
<script>alert(123)</script>
the new fix
csp
<a onclick=‘doit()’>123</a>
<a onclick=‘doit()’>123</a>
<a href=‘javascript:doit()’>123</a>
<a href=‘javascript:doit()’>123</a>
<a style=‘display: block’>123</a>
<a style=‘display: block’>123</a>
csp = no javascript + no css = 1995?
csp = source whitelisting!
X-Content-Security-Policy: default-src *; script-src https://github.com https://a24 8.e.akamai.net https://jobs.github.com h ttps://ssl.google-analytics.com
https://s ecure.gaug.es https://gist.github.com; s tyle-src https://github.com https://a248. e.akamai.net https://jobs.github.com htt ps://ssl.google-analytics.com https://sec ure.gaug.es https://gist.github.com 'uns afe-inline'; report-uri /errors Content-Se curity-Policy: default-src *; script-src htt ps://github.com https://a248.e.akamai.ne
Content-Security-Policy: X-WebKit-CSP: X-Content-Security-Policy:
default-src
script-src
style-src
object-src
img-src
media-src
frame-src
font-src
connect-src
Content-Security-Policy: img-scr ‘none’
Content-Security-Policy: img-scr ‘self’
Content-Security-Policy: img-scr ‘unsafe-inline’
Content-Security-Policy: img-scr ‘unsafe-eval’
Content-Security-Policy: img-scr https://me.com:443
ity-Policy: img-scr https:
ity-Policy: img-scr me.com
ity-Policy: img-scr *.me.com
ity-Policy: img-scr https://me.com
ity-Policy: img-scr me.com:443
Content-Security-Policy: default-src ‘self’; object-src h ttps://youtube.com; img-src http://foo.akami.com https://bar.akami.com;
report-uri
{ "csp-report": { "document-uri": "https://github.com/", "referrer": "", "blocked-uri": "self", "violated-directive":
"eval script base restriction", "source-file": "chrome://firebug/content/co...", "script-sample": "call to eval() or related...", "line-number": 166 } }
the end...