Session from Confoo 2019 in Montréal

1. @chwenz
Christian Wenz
CONFOO 2019
10X More Secure with
Content Security Policy

2. Same Origin Policy
http://example.com:80/page.php
http://example.com/script.js
https://code.jquery.com/
jquery-x.y.z.min.js
Protocol
Domain
Port
http://example.com:80/page.php

3. A policy language used to declare a set of content
restrictions for a web resource
Content Security Policy

4. Content Security Policy 1.0
https://www.w3.org/TR/CSP1/
W3C Working Group Note, 19 Feb 2015
Content Security Policy Level 2
https://www.w3.org/TR/CSP2/
W3C Recommendation, 15 Dec 2016
Content Security Policy Level 3
https://www.w3.org/TR/CSP3/
W3C Working Draft, 15 Oct 2016
Content Security Policy Versions

5. Demo
Our Enterprise Application

6. Content-Security-Policy:
default-src
'self';
 HTTP header name
 Directive
 Value

7. Directives
default-src
script-src object-src style-src img-src
media-src frame-src font-src connect-src
report-uri

8. http://www.example.com:80http:
'unsafe-eval''unsafe-inline''self'
Directive Values

9. Demo
Directives in action

10. Effects on JavaScript Code
Inline JavaScript code
JavaScript code from external domains
JavaScript code that uses eval()

11. script-src 'self' 'nonce-abc123' script-src 'self' 'sha256-
6e11c72f7cf6bc383152dd16ddd5903aba6b
b1c99d6b6639a4bb0b838185fa92'
Re-Enabeling Inline

12. script-srchttps://connect.facebook.nethttps://cm.g.doubleclick.nethttps://ssl.google-analytics.comhttps://graph.facebook.comhttps://twitter.com'unsafe-eval'https://*.twimg.com
https://api.twitter.com'nonce-u84pe27B+YIJtQbHZZr8Dw=='https://analytics.twitter.comhttps://publish.twitter.comhttps://ton.twitter.comhttps://syndication.twitter.com
https://www.google.comhttps://t.tellapart.comhttps://platform.twitter.comhttps://www.google-analytics.com'self';frame-ancestors'self';font-srchttps://twitter.comhttps://*.twimg.comdata:
https://ton.twitter.comhttps://fonts.gstatic.comhttps://maxcdn.bootstrapcdn.comhttps://netdna.bootstrapcdn.com'self';media-srchttps://twitter.comhttps://*.twimg.comhttps://ton.twitter.com
blob:'self';connect-srchttps://graph.facebook.comhttps://*.giphy.comhttps://*.twimg.comhttps://api.twitter.comhttps://pay.twitter.comhttps://analytics.twitter.comhttps://*.twprobe.net
https://media.riffsy.comhttps://embed.periscope.tvhttps://upload.twitter.com'self';style-srchttps://fonts.googleapis.comhttps://twitter.comhttps://*.twimg.comhttps://translate.googleapis.com
https://ton.twitter.com'unsafe-inline'https://platform.twitter.comhttps://maxcdn.bootstrapcdn.comhttps://netdna.bootstrapcdn.com'self';object-srchttps://twitter.comhttps://pbs.twimg.com;
default-src'self';frame-srchttps://staticxx.facebook.comhttps://twitter.comhttps://*.twimg.comhttps://5415703.fls.doubleclick.nethttps://player.vimeo.comhttps://pay.twitter.com
https://www.facebook.comhttps://ton.twitter.comhttps://syndication.twitter.comhttps://vine.co twitter:https://www.youtube.comhttps://platform.twitter.comhttps://upload.twitter.com
https://s-static.ak.facebook.comhttps://4337974.fls.doubleclick.net'self'https://donate.twitter.com;img-srchttps://graph.facebook.comhttps://*.giphy.comhttps://twitter.comhttps://*.twimg.com
https://ad.doubleclick.netdata:https://lumiere-a.akamaihd.nethttps://fbcdn-profile-a.akamaihd.nethttps://www.facebook.comhttps://ton.twitter.comhttps://*.fbcdn.net
https://syndication.twitter.comhttps://media.riffsy.comhttps://www.google.comhttps://stats.g.doubleclick.nethttps://api.mapbox.comhttps://www.google-analytics.comblob:'self';report-uri
https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
Twitter´s Content Security Policy
script-srchttps://connect.facebook.nethttps://cm.g.doubleclick.nethttps://ssl.google-analytics.comhttps://graph.facebook.comhttps://twitter.com'unsafe-eval'https://*.twimg.com
https://api.twitter.com'nonce-u84pe27B+YIJtQbHZZr8Dw=='https://analytics.twitter.comhttps://publish.twitter.comhttps://ton.twitter.comhttps://syndication.twitter.com
https://www.google.comhttps://t.tellapart.comhttps://platform.twitter.comhttps://www.google-analytics.com'self';frame-ancestors'self';font-srchttps://twitter.comhttps://*.twimg.comdata:
https://ton.twitter.comhttps://fonts.gstatic.comhttps://maxcdn.bootstrapcdn.comhttps://netdna.bootstrapcdn.com'self';media-srchttps://twitter.comhttps://*.twimg.comhttps://ton.twitter.com
blob:'self';connect-srchttps://graph.facebook.comhttps://*.giphy.comhttps://*.twimg.comhttps://api.twitter.comhttps://pay.twitter.comhttps://analytics.twitter.comhttps://*.twprobe.net
https://media.riffsy.comhttps://embed.periscope.tvhttps://upload.twitter.com'self';style-srchttps://fonts.googleapis.comhttps://twitter.comhttps://*.twimg.comhttps://translate.googleapis.com
https://ton.twitter.com'unsafe-inline'https://platform.twitter.comhttps://maxcdn.bootstrapcdn.comhttps://netdna.bootstrapcdn.com'self';object-srchttps://twitter.comhttps://pbs.twimg.com;
default-src'self';frame-srchttps://staticxx.facebook.comhttps://twitter.comhttps://*.twimg.comhttps://5415703.fls.doubleclick.nethttps://player.vimeo.comhttps://pay.twitter.com
https://www.facebook.comhttps://ton.twitter.comhttps://syndication.twitter.comhttps://vine.co twitter:https://www.youtube.comhttps://platform.twitter.comhttps://upload.twitter.com
https://s-static.ak.facebook.comhttps://4337974.fls.doubleclick.net'self'https://donate.twitter.com;img-srchttps://graph.facebook.comhttps://*.giphy.comhttps://twitter.comhttps://*.twimg.com
https://ad.doubleclick.netdata:https://lumiere-a.akamaihd.nethttps://fbcdn-profile-a.akamaihd.nethttps://www.facebook.comhttps://ton.twitter.comhttps://*.fbcdn.net
https://syndication.twitter.comhttps://media.riffsy.comhttps://www.google.comhttps://stats.g.doubleclick.nethttps://api.mapbox.comhttps://www.google-analytics.comblob:'self';report-uri
https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
script-srchttps://connect.facebook.nethttps://cm.g.doubleclick.nethttps://ssl.google-analytics.comhttps://graph.facebook.comhttps://twitter.com'unsafe-eval'https://*.twimg.com
https://api.twitter.com'nonce-u84pe27B+YIJtQbHZZr8Dw=='https://analytics.twitter.comhttps://publish.twitter.comhttps://ton.twitter.comhttps://syndication.twitter.com
https://www.google.comhttps://t.tellapart.comhttps://platform.twitter.comhttps://www.google-analytics.com'self';frame-ancestors'self';font-srchttps://twitter.comhttps://*.twimg.comdata:
https://ton.twitter.comhttps://fonts.gstatic.comhttps://maxcdn.bootstrapcdn.comhttps://netdna.bootstrapcdn.com'self';media-srchttps://twitter.comhttps://*.twimg.comhttps://ton.twitter.com
blob:'self';connect-srchttps://graph.facebook.comhttps://*.giphy.comhttps://*.twimg.comhttps://api.twitter.comhttps://pay.twitter.comhttps://analytics.twitter.comhttps://*.twprobe.net
https://media.riffsy.comhttps://embed.periscope.tvhttps://upload.twitter.com'self';style-srchttps://fonts.googleapis.comhttps://twitter.comhttps://*.twimg.comhttps://translate.googleapis.com
https://ton.twitter.com'unsafe-inline'https://platform.twitter.comhttps://maxcdn.bootstrapcdn.comhttps://netdna.bootstrapcdn.com'self';object-srchttps://twitter.comhttps://pbs.twimg.com;
default-src'self';frame-srchttps://staticxx.facebook.comhttps://twitter.comhttps://*.twimg.comhttps://5415703.fls.doubleclick.nethttps://player.vimeo.comhttps://pay.twitter.com
https://www.facebook.comhttps://ton.twitter.comhttps://syndication.twitter.comhttps://vine.co twitter:https://www.youtube.comhttps://platform.twitter.comhttps://upload.twitter.com
https://s-static.ak.facebook.comhttps://4337974.fls.doubleclick.net'self'https://donate.twitter.com;img-srchttps://graph.facebook.comhttps://*.giphy.comhttps://twitter.comhttps://*.twimg.com
https://ad.doubleclick.netdata:https://lumiere-a.akamaihd.nethttps://fbcdn-profile-a.akamaihd.nethttps://www.facebook.comhttps://ton.twitter.comhttps://*.fbcdn.net
https://syndication.twitter.comhttps://media.riffsy.comhttps://www.google.comhttps://stats.g.doubleclick.nethttps://api.mapbox.comhttps://www.google-analytics.comblob:'self';report-uri
https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

13. “The Content-Security-Policy-Report-Only
header field lets servers experiment with
policies by monitoring (rather than
enforcing) a policy.”
Content Security Policy Level 2 W3C Recommendation

14. CSP Bypass
Loading content from a CSP-listed domain
Create an iframe, load an external script
Tricking the XSS Auditor in Edge (fixed!)

15. @chwenz
info@christianwenz.de
Thank You!