is a new addition to the web platform that promises to mitigate the risk of XSS attacks by giving admins control over the data and code to be allowed to run on their site. Another layer to a websites defenses: browser-enforced restrictions against external resources or unauthorized scripting. Extra response header instructs browsers to enforce a policy. Involves deciding what policies you want to enforce, and then configuring them and using X-Content-Security-Policy to establish your policy.
: best used as defense-in-depth. : declarative policy that lets admins inform the client about the sources from which the application expects to load resources. Mitigate XSS: Applications can declare that it only expects scripts from trusted sources. Allows the client to detect and block malicious scripts injected into the application by an attacker.
Often a non-trivial amount of work required to apply to an existing web application. Move all inline scripts and style out-of-line.
Applications opts into using by supplying a Content- Security-Policy HTTP header. To supply a policy for an entire site, the server needs to supply a policy with each resource representation
You can use the X-Content-Security-Policy HTTP header to specify your policy, like this: X-Content-Security-Policy: policy The policy is a string containing the policy directives describing your Content Security Policy.
Common scenarios when writing your security policy
All content to come from the sites own domain, excluding even subdomains. X-Content-Security-Policy: default-src self Allow content from a trusted domain and all its subdomains. X-Content-Security-Policy: default-src self *.mydomain.com
Allow users of a web application to include images from any domain in their custom content, but to restrict audio or video media to come only from trusted providers, and all scripts only to a specific server that hosts trusted code. X-Content-Security-Policy: default-src self; img-src *; media-src media1.com media2.com; script-src userscripts.example.com Content is only permitted from the documents original host, with the following exceptions: Images may loaded from anywhere (note the "*" wildcard). Media is only allowed from media1.com and media2.com (and not from subdomains of those sites). Executable script is only allowed from userscripts.example.com.
Server delivers the policy to the user agent via an HTTP response header. Content-Security-Policy Header Field Content-Security-Policy header field is the preferred mechanism for delivering a CSP policy. "Content-Security-Policy:" 1#policy Server may send more than one HTTP header field named Content- Security-Policy with a given resource representation. A server may send different Content-Security-Policy header field values with different representations of the same resource or with different resources. Receiving an HTTP response containing at least one Content-Security- Policy header field, the user agent enforces each of the policies contained in each such header field.