This document summarizes Content Security Policy (CSP), a browser feature that helps mitigate cross-site scripting and other attacks. It discusses CSP's directives for controlling resource loading, browser support, syntax, and violation reporting. It also notes potential issues with abuse of CSP violation reports if not properly validated and formatted on the server-side.

1. AVTOKYO2014
HASEMUNEA (Nishimunea & Yosuke HASEGAWA)
Future of Web Security
Opened up by CSP

2. Nishimunea (Muneaki Nishimura)
Firefox OS Community, Japan
Lecturer of Security Camp 2014

3. Yosuke HASEGAWA
Shibuya.XSS / utf-8.jp
Lecturer of Security Camp 2014

4. Content Security Policy (CSP)
• Browser feature to mitigate common attacks, e.g., XSS
• Set Content-Security-Policy header in HTTP responses
• W3C candidate recommendation, as of 2012
• Next generation, CSP Level 2, is under development

5. Browser Support
• Supported by all major browsers except IE
– IE is in development for future release
• Forms of expressions
– Content-Security-Policy : the W3C specs.
– X-Content-Security-Policy : for Firefox 4-22, removed on 33
– X-WebKit-CSP : for earlier ver. of WebKit
4+ 4+ 6+5+ 25+ 4.4+N/A

6. Syntax
• When you allow to load sub resources from any origin
• If you allow loading of scripts only from jQuery's CDN
• And if you ignore any plugins
default-src *
default-src *; script-src https://code.jquery.com
default-src *; script-src https://code.jquery.com; object-src 'none'

7. CSP Directives
default-src Default policy for resources that have no specific policy
script-src Policy for script execution
object-src Policy for plugins
style-src Policy for stylesheets
img-src Policy for image files
media-src Policy for media files, e.g., <audio> and <video>
frame-src Policy for frame contents
font-src Policy for web fonts
connect-src Policy for async. connections, e.g., XMLHttpRequest

8. CSP Level2 Directives
base-uri Policy for base[href]
form-action Policy for form[action]
plugin-types Policy for executable plugin MIME types
referrer Nearly identical to meta[name=referrer]
frame-ancestors Nearly identical to X-Frame-Options
xss-protection Nearly identical to X-XSS-Protection
child-src Policy for child contents e.g., frames and workers
sandbox Sandbox that is applied to the document

9. Violation Report
• If 'report-uri' is set in CSP, browser lets the webmaster
know violation of CSP including attempts of attack
script-src 'self'; report-uri report.php
• In the report, some details of violations are included.
With them, webmaster can find causes of violation
{"csp-report":{
"original-policy":"script-src 'self'; report-uri report.php",
"script-sample":"alert(1);",
"source-file":"http://example.com/login.php" }}

10. Abusing CSP Violation Report
• In some parts of a report, HTML tags can be included
without proper escaping
• Or, with a proxy tool, attacker can send malformed reports to
webmaster's console
{"csp-report":{
"document-uri":"http://%3Cauth@example.com/%3Cpath/?q=%3Cquery,
"referrer":"http://example.com/redirector/%3Cpath/?q=%3Cquery",
"blocked-uri":"data:text/html,<script>alert(1)</script>",
"script-sample":"javascript:alert('<script>alert(1);</script>')" }}

11. DEMO