This document discusses defeating cross-site scripting (XSS) attacks through Content Security Policy (CSP). CSP allows website owners to restrict resources the browser is allowed to load, such as scripts, styles, fonts, and frames. To implement CSP, website owners add special HTTP headers that define the policy and restrict what code and resources can be loaded. Preparing a site for CSP involves eliminating inline scripts and styles, removing JavaScript URIs, and adding the CSP headers. CSP is not a replacement for proper cross-site scripting prevention but acts as an additional layer of defense.

1. Defeating cross-site scripting
with Content Security Policy
Francois Marier <francois@catalyst.net.nz>

2. what is a cross-site scripting
(aka “XSS”) attack?

7. preventing XSS attacks

8. print <<<EOF
<html>
<h1>$title</h1>
</html>
EOF;

9. $title = escape($title);
print <<<EOF
<html>
<h1>$title</h1>
</html>
EOF;

10. templating system

11. page.tpl:
<html>
<h1>{title}</h1>
</html>
page.php:
render(“page.tpl”, $title);

12. auto-escaping turned ON

13. page.tpl:
<html>
<h1>{title|raw}</h1>
</html>
page.php:
render(“page.tpl”, $title);

14. auto-escaping turned ON
!=
escaping always ON

15. the real problem:
browser default = allow all

17. a way to get the browser
to enforce the restrictions
you want on your site

18. $ curl --head https://www.libravatar.org/
X-Content-Security-Policy:
default-src 'self' ;
img-src 'self' data

19. $ curl --head
https://www.libravatar.org/account/login/
X-Content-Security-Policy:
default-src 'self' ;
img-src 'self' data ;
frame-src 'self'
https://browserid.org ;
script-src 'self'
https://browserid.org

20. $ curl --head http://fmarier.org/
X-Content-Security-Policy:
default-src 'none' ;
img-src 'self' ;
style-src 'self' ;
font-src 'self'

21. <object>
<script>
<style>
<img>
<audio> & <video>
<frame> & <iframe>
<font>
WebSocket & XMLHttpRequest

22. >= 4 >= 13 >= 5 >= 10

23. what does a CSP-enabled
website look like?

26. unless explicitly allowed by your policy
inline scripts are not executed

29. unless explicitly allowed by your policy
external resources are not loaded

30. preparing your website for CSP
(aka things you can do today)

31. eliminate inline scripts and styles

32. <script>
do_stuff();
</script>

33. <script src=”do_stuff.js”>
</script>

34. eliminate javascript: URIs

35. <a href=”javascript:go()”>
Go!
</a>

36. <a id=”go-button” href=”#”>
Go!
</a>
var button =
document.getElementById('go-button');
button.onclick = go;

37. add headers in web server config

38. <Location /some/page>
Header set X-Content-Security-Policy
"default-src 'self' ;
script-src 'self' http://example.org"
</Location>

39. not a replacement for
proper XSS hygiene

40. great tool to increase the
depth of your defenses

41. Spec:
http://www.w3.org/TR/CSP/
HOWTO:
https://developer.mozilla.org/en/Security/CSP
fmarier fmarier
Copyright © 2012 François Marier
Released under the terms of the Creative Commons
Attribution Share Alike 3.0 Unported Licence

42. Credits:
Biohazard wallpaper: http://www.flickr.com/photos/rockyx/4273385120/
Under Construction: https://secure.flickr.com/photos/aguichard/6864586905/