A primer on Content Security Policy

CSP
Content Security Policy

View Slide

DISCLAIMER

View Slide

() { :; };

View Slide

THE ISSUE
AT HAND

View Slide

XSS
— and other browser–based attacks

View Slide

Same origin policy

View Slide

Same origin policy
http://foo.com
http://bar.com

View Slide

XSS

View Slide

Persisted XSS

View Slide

Persisted XSS
User A
Server

View Slide

View Slide

Persisted XSS
User A
Server
User B

View Slide

View Slide

User B
User B
User B
Persisted XSS
User A
Server
User B

View Slide

Persisted XSS
User A
Server
User B

View Slide

Reﬂected XSS

View Slide

View Slide

SESSION HIJACKING
CONTENT SPOOFING
…

View Slide

View Slide

THE ROOT
OF THE
PROBLEM?

View Slide

The user

View Slide

The browser

View Slide

THE SOLUTION

View Slide

MOAR REGEX!!1!

View Slide

li {list-style-image: ↵<br/>url(“javascript:alert(‘XSS')");} ↵<br/>XSS
!

!
ipt:aler ↵
t('XSS')>
!
onerror=“alert(String.fromCharCode(88,83,83))”> ↵

View Slide

— OWASP XSS
Prevention Rules

View Slide

Never Insert Untrusted Data
Except in Allowed Locations
1

View Slide

HTML Escape Before Inserting
Untrusted Data into HTML
Element Content
2

View Slide

Attribute Escape Before Inserting
Untrusted Data into HTML
Common Attributes
3

View Slide

JavaScript Escape Before
Inserting Untrusted Data into
JavaScript Data Values
4

View Slide

HTML escape JSON values in an
HTML context and read the data
with JSON.parse
4.1

View Slide

JSON entity encoding
4.1.1

View Slide

HTML entity encoding
4.1.2

View Slide

CSS Escape And Strictly Validate
Before Inserting Untrusted Data
into HTML Style Property Values
5

View Slide

URL Escape Before Inserting
Untrusted Data into HTML URL
Parameter Values
6

View Slide

Sanitize HTML Markup with a
Library Designed for the Job
7

View Slide

Prevent DOM-based XSS
8

View Slide

View Slide

MOAR REGEX!!1!

View Slide

Bonus Rules!

View Slide

Use HTTPOnly cookie ﬂag
A

View Slide

Implement
Content Security Policy
B

View Slide

Content
Security
Policy

View Slide

View Slide

WHAT DOES IT DO?

View Slide

Same origin policy

View Slide

What can be loaded
and embedded,
and from where?

View Slide

Which origins can be
connected to?

View Slide

Which scripts can be executed
and in which context?

View Slide

HOW DOES
IT WORK?

View Slide

Response header

View Slide

Content-Security-Policy: script-src 'self'
Header name
X-WebKit-CSP
X-Content-Security-Policy
IE > 9 < ?
Webkit < 6.1

View Slide

Directive

View Slide

Attribute (source)

View Slide

Content-Security-Policy: [DIRECTIVE A]; [DIRECTIVE B]

View Slide

Content-Security-Policy: script-src 'self' ↵
https://apis.google.com
Multiple sources

View Slide

class CSP
def initialize(app, options={})
@app = app
end
def call(env)
status, headers, body = @app.call(env)
response = Rack::Response.new body, status, headers
response['Content-Security-Policy'] = "script-src 'self'"
response.finish
end
end

View Slide

Directives

View Slide

default-src
!
Default source for all directives

View Slide

connect-src
!
Connections via XHR, WebSockets and EventSource

View Slide

font-src
!
Origins of web fonts

View Slide

frame-src
!
Origins embeddable via frames

View Slide

img-src
!
Origins of images

View Slide

media-src
!
Origins for audio and video

View Slide

object-src
!
Origins of Flash and other plugins

View Slide

style-src
!
Origins of stylesheets

View Slide

Sandboxing

View Slide

sandbox
!
Load page as loaded into iframe with “sandbox” attribute

View Slide

Sources

View Slide

'none'
!
Match nothing

View Slide

View Slide

'self'
!
Only current origin

View Slide

http://example.com:80
!
Servers

View Slide

http:
*://example.com:*
!
Wildcards

View Slide

Script execution
(Source)

View Slide

'unsafe-inline'
!
Execute inline javascript

View Slide

'unsafe-eval'
!
Eval is evil

View Slide

setTimeout("alert('XSS')", 10);

View Slide

var xss = new Function("alert('XSS');");
xss();

View Slide

Reporting

View Slide

report-uri
!
Endpoint for POST requests with JSON payload

View Slide

Content-Security-Policy: report-uri /csp_report

View Slide

{
"csp-report": {
"document-uri": "...",
"referrer": "...",
"blocked-uri": "...",
"violated-directive": "...",
"original-policy": "...",
}
}

View Slide

class CSPReporter
def call(env)
report_data = JSON.parse(env['rack.input'].read)
report_data = report_data['csp-report']
if report_data
Logger.new(‘logs/csp_report.log’).warn(
format_report(report_data)
)
end
end
private
def format_report(data)
# ...
end
end

View Slide

map '/csp_report' do
run CSPReporter.new
end

View Slide

Reporting ONLY

View Slide

Content-Security-Policy-Report-Only: […]

View Slide

CAN I USE IT?

View Slide

http://caniuse.com
Can I use it?

View Slide

RUBY GEMS

View Slide

twitter/secureheaders
!
p0deje/content-security-policy

View Slide

default: &default
scope: "*"
directives:
- scripts: self https://google.com
!
report:
<directives:
- report_uri: /csp_report

View Slide

View Slide

THANKS!
@polarblau

View Slide

A primer on Content Security Policy

A primer on Content Security Policy

Florian Plank

More Decks by Florian Plank

Other Decks in Programming

Featured

Transcript