(Content Security Policy)
- tricks to save your reputation and improve resilience -
Teofil Cojocariu (the brain)
Bogdan Oniga (the experimenter)
Lucian Corlan (the guy convincing the other 2 to showcase this)
2. What is Content Security Policy?
•An HTTP Header (+meta tag)
•Allows you to block what an application loads, connects to or
executes (e.g. restrict domains from which content is being
loaded and what it does)
•Blocking a wide range of attacks – Content Injection attacks
•Untested… "Upgrade Insecure Requests" CSP can be used to
automatically upgrade insecure requests to a secure alternative
before a browser fetches them
•Used successfully by businesses (e.g. Facebook, Twitter, PayPal,
GitHub… and even some darker sites ☺)
•CSP Report Only! – focus of this presentation..
3. History of CSP & Browsers Support
•Started at Mozilla and grown into own W3C specification
•v1.0 – Browsers support is very good, but the exception is IE, of course :x
•v2.0 – changes some directives, adds SecurityPolicyViolationEvent
•v3.0 – draft 2 days ago – “rewritten from the ground up in terms of
the [FETCH] specification – e.g. child-src, script-src”
4. What is CSP Report Only?CSP, but without blocking anything - this only reports information to an endpoint.
# Content-Security-Policy-Report-Only: default-src 'self' data: https://ajax.googleapis.com; report-uri
POST https://csplocal.betfair/?csp HTTP/1.1
"original-policy": "default-src 'self' data: https://ajax.googleapis.com; report-uri https://csplocal.betfair/?csp;",
"violated-directive": "frame-src https:"
document-uri - where error occurred
referrer - referrer
blocked-uri - the actually problem
violated-directive - what happen
source-file - where error occurred (file)
script-sample - sample of injected script
5. How is the content restricted?
•By Source: 'none', 'self', specific hostnames, *
• unsafe-inline (script-src & style-src only)
• unsafe-eval (script-src only)
•No string-to-code functions or in-line scripts.
•Bug: CSP does not block cross-domain applets with
object-src 'self‘ Details here:
6. Problems with restrictions?
•Remove patterns from the code that were banned by
•Third Party Scripts: can you host all resources?..
7. What we are trying to do?
•Report against mixed-content
•New XSS protection at browser level
•Protection against XSS in DOM (Mutation XSS) (devil)
•Protection against injection of unknown scripts/resources
Content-Security-Policy-Report-Only: default-src https:;script-src
•There is no other way to get all mixed-content and security
will work only with some applications and it's hard to inject JS
anyway without breaking stuff)
•Don't push CSP to production directly, use CSP Report Only
first!.. (although some xxx sites are mature enough and do! ☺)
•Don't rely on CSP to protect the application against XSS
•Doesn't matter what backend you run (Java, PHP, ASP and so
•Demo CSP: Generate Header
•Demo CSP Report Only
•Push to production? Report Only!
Others on the topic: