More Related Content Similar to Content Security Policy (20) Content Security Policy16. How CSP helps?
deliver policy via http header with
information about what is allowed to execute
on your site.
17. When we request a webpage, we get a response
that has a header and a body
CSP in the wild
25. script-src <script>
object-src <object>, <embed>
style-src <link rel=“stylesheet”>, <style>
img-src <img>, images in css
media-src <audio>, <video>
frame-src <iframe>, <frame>
font-src @font-face
connect-src XMLHttpRequest, JS APIs
32. Other Values
*— Anything Goes
none— Nothing Goes
url— can specify ports, protocols,
wildcards, etc
http://content-security-policy.com/
39. mitigate XSS
…a more complete plan
* move inline script out-of-line
* remove inline event handlers
* Remove use of eval and friends
(not as big)
* Add the script-src directive
41. Wanna try it out?
Try report only
mode and tweak
as you go