Submit Search
Upload
Content Security Policy featuring ember.js
•
0 likes
•
2,609 views
AI-enhanced title
Ryan LaBouve
Follow
A look at content security policy (with examples in Emberjs)
Read less
Read more
Technology
Report
Share
Report
Share
1 of 43
Download now
Download to read offline
Recommended
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
W3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
Web content security policies
Web content security policies
Dhanu Gupta
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Recommended
Preventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
W3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
Securing Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
Web content security policies
Web content security policies
Dhanu Gupta
Web Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Content Security Policy
Content Security Policy
Austin Gil
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
Http security response headers
Http security response headers
mohammadhosseinrouha
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
Securing your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
Web vulnerabilities
Web vulnerabilities
Oleksandr Kovalchuk
Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
Lets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
Philippe De Ryck
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
Дмитрий Бумов
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
Securing your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
Surfer en toute legalite sur le net
Surfer en toute legalite sur le net
AAT's
Web Apps Security
Web Apps Security
Victor Bucutea
More Related Content
What's hot
Content Security Policy
Content Security Policy
Austin Gil
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
Http security response headers
Http security response headers
mohammadhosseinrouha
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
HTTP Security Headers
HTTP Security Headers
Ismael Goncalves
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
Securing your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
Web vulnerabilities
Web vulnerabilities
Oleksandr Kovalchuk
Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
Lets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
Philippe De Ryck
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
Дмитрий Бумов
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Mikal Villa
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Philippe De Ryck
Securing your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
What's hot
(20)
Content Security Policy
Content Security Policy
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Http security response headers
Http security response headers
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
HTTP Security Headers
HTTP Security Headers
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Securing your AngularJS Application
Securing your AngularJS Application
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
Web vulnerabilities
Web vulnerabilities
Content Security Policy (CSP)
Content Security Policy (CSP)
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Lets exploit Injection and XSS
Lets exploit Injection and XSS
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Securing your EmberJS Application
Securing your EmberJS Application
Viewers also liked
Surfer en toute legalite sur le net
Surfer en toute legalite sur le net
AAT's
Web Apps Security
Web Apps Security
Victor Bucutea
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
Eli Nesterov
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
Eli Nesterov
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
RUY
Content security policy
Content security policy
Ronan Dunne, CEH, SSCP
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
Francois Marier
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Amazon Web Services
Security HTTP Headers
Security HTTP Headers
Chang Yu-Sheng
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
CNIL ..
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
Net Design
Viewers also liked
(13)
Surfer en toute legalite sur le net
Surfer en toute legalite sur le net
Web Apps Security
Web Apps Security
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
Content security policy
Content security policy
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
Security HTTP Headers
Security HTTP Headers
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
Similar to Content Security Policy featuring ember.js
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
Imperva Incapsula
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
Muneaki Nishimura
Rails and Content Security Policies
Rails and Content Security Policies
Matias Korhonen
Secure coding guidelines for content security policy
Secure coding guidelines for content security policy
vivekanandan r
2015-04-25-content-security-policy
2015-04-25-content-security-policy
Sastry Tumuluri
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
Introducing PostCSS
Introducing PostCSS
Rubén Crespo Álvarez
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
Matt Raible
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
OWASP EEE
NoSQL - No Security?
NoSQL - No Security?
Gavin Holt
HTML / CSS / JS Web basics
HTML / CSS / JS Web basics
btopro
Ignite content security policy
Ignite content security policy
jstack
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
Breaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
Content Security Policy ByPass
Content Security Policy ByPass
PawanJaiswal39
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
Csp and http headers
Csp and http headers
ColdFusionConference
Csp and http headers
Csp and http headers
devObjective
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
Similar to Content Security Policy featuring ember.js
(20)
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
Rails and Content Security Policies
Rails and Content Security Policies
Secure coding guidelines for content security policy
Secure coding guidelines for content security policy
2015-04-25-content-security-policy
2015-04-25-content-security-policy
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Introducing PostCSS
Introducing PostCSS
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
NoSQL - No Security?
NoSQL - No Security?
HTML / CSS / JS Web basics
HTML / CSS / JS Web basics
Ignite content security policy
Ignite content security policy
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Breaking Bad CSP
Breaking Bad CSP
Content Security Policy ByPass
Content Security Policy ByPass
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Csp and http headers
Csp and http headers
Csp and http headers
Csp and http headers
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Recently uploaded
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Zilliz
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
RankYa
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Digital Insurer
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
SeasiaInfotech2
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
Recently uploaded
(20)
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Training state-of-the-art general text embedding
Training state-of-the-art general text embedding
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
Content Security Policy featuring ember.js
1.
Content Security Policy featuring ember.js
2.
WHOAMI Ryan LaBouve (@ryanlabouve)
3.
4.
HOLYARCHERS
5.
RyanLaBouve.com
6.
Thinking about a
new side-project
7.
Fire up `ember
new`
8.
(wait on NPM
and Bower)
9.
`ember serve`
10.
Sparkling new project!
11.
But wait!?!?
12.
ENTER CSP Content-Security-Policy: ‘take-that.xss’
13.
What is Content Security
Policy?
14.
XSS Mitigation Strategy using a
whitelist based approach.
15.
What is XSS? people
trying to execute malicious (usually?) javascripts on your page.
16.
How CSP helps? deliver
policy via http header with information about what is allowed to execute on your site.
17.
When we request
a webpage, we get a response that has a header and a body CSP in the wild
18.
Response body (has
the html/css/js)
19.
Response Header has
(various meta-data)
20.
CSP in the
wild
21.
How to implement and customize
CSP
22.
Series of Directives
23.
default-src script-src*** object-src style-src img-src media-src frame-src font-src connect-src (script-src key directive
for blocking scripting)
24.
Each attached to HTML elements
25.
script-src <script> object-src <object>,
<embed> style-src <link rel=“stylesheet”>, <style> img-src <img>, images in css media-src <audio>, <video> frame-src <iframe>, <frame> font-src @font-face connect-src XMLHttpRequest, JS APIs
26.
self none * unsafe-inline unsafe-eval example.url.com Values to Describe
Policy
27.
Space delimited sources to
match http header syntax semi colon end of line About the Values
28.
self Anything you’re including
locally
29.
unsafe-inline Anything happening by
your content Better to “separate code and data” This includes inline event handlers
30.
unsafe-eval setTimeout eval not as big
a deal as unsafe inline
31.
Custom Templates Not executing.
No problem.
32.
Other Values *— Anything
Goes none— Nothing Goes url— can specify ports, protocols, wildcards, etc http://content-security-policy.com/
33.
A few quick examples:
34.
Serve nothing at
all
35.
Serve everything ever
36.
Only serve local
assets … a good starting spot
37.
Build up slowly
as needed
38.
Focus on script-src …especially
if you’re worried mostly about XSS
39.
mitigate XSS …a more
complete plan * move inline script out-of-line * remove inline event handlers * Remove use of eval and friends (not as big) * Add the script-src directive
40.
Report only, callback url, block Options
for Enforcing
41.
Wanna try it
out? Try report only mode and tweak as you go
42.
Browser Compatibility Issues
43.
Resources http://www.html5rocks.com/en/tutorials/security/content- security-policy/ https://developer.chrome.com/extensions/contentSecurityPolicy http://en.wikipedia.org/wiki/Content_Security_Policy https://www.youtube.com/watch?v=pocsv39pNXA https://blog.justinbull.ca/ember-cli-and-content-security-policy- csp/
Download now