Date post: | 16-Jul-2015 |
Category: |
Technology |
Upload: | ryan-labouve |
View: | 843 times |
Download: | 0 times |
How CSP helps?deliver policy via http header with
information about what is allowed to execute on your site.
default-src script-src*** object-src style-src img-src media-src frame-src font-src
connect-src (script-src key directive for blocking
scripting)
script-src <script>
object-src <object>, <embed>
style-src <link rel=“stylesheet”>, <style>
img-src <img>, images in css
media-src <audio>, <video>
frame-src <iframe>, <frame>
font-src @font-face
connect-src XMLHttpRequest, JS APIs
self none *
unsafe-inline unsafe-eval
example.url.com
Values to Describe Policy
unsafe-inlineAnything happening by your content
Better to “separate code and data”This includes inline event handlers
Other Values
*— Anything Goes
none— Nothing Goes
url— can specify ports, protocols, wildcards, etc
http://content-security-policy.com/
mitigate XSS …a more complete plan * move inline script out-of-line * remove inline event handlers * Remove use of eval and friends
(not as big) * Add the script-src directive
Resources
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
https://developer.chrome.com/extensions/contentSecurityPolicy
http://en.wikipedia.org/wiki/Content_Security_Policy
https://www.youtube.com/watch?v=pocsv39pNXA
https://blog.justinbull.ca/ember-cli-and-content-security-policy-csp/