Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
How CSP Will (maybe) Solve the XSS Problem
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Neil Matatall
September 12, 2014
Programming
170
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
How CSP Will (maybe) Solve the XSS Problem
More ramblings about how awesome csp and how it solves all of your problems.
Neil Matatall
September 12, 2014
More Decks by Neil Matatall
See All by Neil Matatall
Twubhubbook - It's like appsec, but for startups (with notes)
oreoshake
0
150
Twubhubbook - it's like appsec, but for startups (without notes)
oreoshake
0
130
Automatic Application Security v2
oreoshake
0
160
JRubyFX For Web Developers
oreoshake
0
260
Automatic Application Security
oreoshake
0
170
Putting your robots to work: Security Automation @Twitter
oreoshake
2
190
BSidesLA Managing Content Security Policy
oreoshake
3
1.1k
Other Decks in Programming
See All in Programming
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
160
Agentic UI
manfredsteyer
PRO
0
200
Lessons from Spec-Driven Development
simas
PRO
0
220
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
590
トークンをケチるな、設計しろ:GitHub Copilotを賢く使うコンテキスト戦略
ochtum
0
190
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
560
Strategic Design in the Frontend: Moduliths & Micro Frontends @DDDEurope
manfredsteyer
PRO
0
130
act1-costs.pdf
sumedhbala
0
120
脅威をエンジニアリングの糧にして――現場編 / Turning Threats into Engineering Fuel — Field Edition
nrslib
0
300
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
o0h
PRO
0
270
OSもどきOS
arkw
0
590
AIを活用したE2Eテスト実装効率化のあゆみ / ebisu-mobile-14-kotetu
kotetuco
0
130
Featured
See All Featured
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
450
[SF Ruby Conf 2025] Rails X
palkan
2
1.1k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
220
Tell your own story through comics
letsgokoyo
1
970
Building AI with AI
inesmontani
PRO
1
1.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
We Are The Robots
honzajavorek
0
260
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
620
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
340
Thoughts on Productivity
jonyablonski
76
5.2k
Transcript
How CSP Will (maybe) Solve the XSS Problem Neil Matatall
OWASP SD 4/17/2014
Me • Twitter appsec engineer • I’m actually just a
developer • In the business of going out of business • Sick and tired of fixing XSS
XSS is so 1998
So is XSS prevention
What is XSS <input name=“id” value=“<%=id%>”>
What is XSS ”><script>badStuff()</script>
What is XSS <input name=“id” value=“”> <script>badStuff()</script> ”>
What is XSS <script> var id=<%=id%>; </script>
What is XSS 0;badStuff();
What is XSS <script> var id=0; badStuff() </script>
What is XSS <script> setInterval(1000, ‘<%=todo%>’) </script>
What is XSS badStuff();
What is XSS <script> setInterval(1000, ‘badStuff()’) </script>
What is XSS <input name=“id” onBlur=“doStuff(<%=id %>)”>
What is XSS ); badStuff(
What is XSS <input name=“id” onBlur=“doStuff(); badStuff()”>
What is XSS <a href=“<%=link%>”>Hi Mom!</a>
What is XSS javascript:badThings()
What is XSS <a href=“javascript:badThings()”> Hi Mom!</a>
What is XSS <a href=“#” onClick=“doThing(‘<%=link%>’)”> Hi Mom! </a>
What is XSS ');badStuff('
What is XSS <a href=“#” onClick= “doThing(‘');badStuff('’)” > Hi Mom!
</a>
What is XSS <a href=“#” onClick= “doThing(‘’);badStuff(‘’)”> Hi Mom! </a>
What is DOM XSS <script> document.body.innerHTML = document.getElementById(‘name’).value; </script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
What is DOM XSS <script> var name = $(‘#name’).val $(‘body’).html(name)
</script>
What is DOM XSS
What is DOM XSS <body> <img src=x onError=badThings()> </body>
jQuery is XSS $(data)
What is XSS <style> a { color: <%=usersFavoriteColor%>; } </style>
What is XSS I dunno, something with SVG, CSS Expressions,
etc. The list grows.
Because Dr. Mario
Because Dr. Mario
Why do those crazy things?
CODE != DATA “select * from table where id =
“ + id “<a href=“ + link + “>text</a>”
But we don’t do stupid things
I will religiously escape content
I will religiously escape content part 2
JSFuck - Write any JavaScript with 6 Characters: []()!+ I
will religiously escape content part 3
None
I’ll sanitize / validate input
I’ll use a scanner
I’ll perform periodic assessments
Security is about layers
None
Thermos? Koozie?
<script>goodStuff()</script> <script>badStuff()</script> How does the browser know?
What is dangerous? • inline javascript • <script>…</script> • <input
onBlur=“…”> • <a href=“javascript:…”> • on-the-fly code generation • setTimeout, eval, new Function(“…”)
What’s a CSP??? default-src ‘self’; connect-src ‘self’; font-src ‘self’ data:;
frame-src ‘self’ about: javascript:; frame-ancestors https://twitter.com; img-src https://mycdn.xom data:; media-src ‘https://mycdn.xom; object-src ‘none’; script-src https://mycdn.xom; style-src 'unsafe-inline' https://mycdn.xom; report-uri https://twitter.com/scribes/csp_report
CSP is more than XSS protection
Nothing is free
Report-Only mode
Techniques for removing inline javascript
Removing the dangerous stuff
CSP 1.1 • Whitelisting inline <script> in a safe way
Inline code <script> stuff() </script>
Nonces <script nonce=“34298734…”> stuff() </script>
Hashes <script> stuff() </script>
Hashes are more secure, and more limited than nonces
What you still can’t do • Inline event handlers •
<input onBlur=“doGoodThing()”> • <a href=“javascript:…”> • Dynamic javascript • <script> var id=<%=id%> </script> • Hash values won’t match • Nonce provides absolutely no security
Automatic CSP Protection (Silverish bullet)
Whitelisting javascript • Find all javascript • Compute all hash
values • Whitelist scripts with corresponding hashes
Assume: Sane web framework • Do a regular expression search
over all templates, capture all inline javascript • Store a map of the hash(es) in each individual file • Each time the file is rendered, add the corresponding hashes to the header
Developer productivity • Serve dynamic hash values in (!production), serve
hardcoded hash values in production
None