This is browser side security protecting the Cross-site scripting (XSS). The Server needs to clearly mention the trusted origin for the resources like javascript,images etc for each page as part of HTTP header response
Diamond Application Development Crafting Solutions with Precision
Secure coding guidelines for content security policy
1. 11/11/2015 Secure Coding Guidelines for Content Security Policy | GnuDeveloper.com
http://www.gnudeveloper.com/cyber_security/secure_coding_guidelines_for_content_security_policy.html 1/4
Home Search Groups About Us Contact SignUp
Home > Groups > CyberSecurity
Secure Coding Guidelines for Content Security Policy
Submitted by vivekanandan on Wed, 11/04/2015 23:23
The CSP is the key concept for protecting the Crosssite scripting (XSS) from the browser side. Since XSS is the top most vulenerable injection attack. The
content means the web page resource as javascript, images etc.. For browser side security we need to understand the sameorigin policy, cross origin policy
(COP)
Why we need Content Security Policy:
The Server needs to clearly mention the trusted origin for the resources like javascript,images etc.. so that client will take the action accordingly. Since The
browser(client) and server are disconnected the server needs to mention the security policy for each page as part of HTTP header response
Secure coding guidelines for CSP:
1. Always use JavaScript in separate js file.
2. Always bind HTML element with Event Handlers so that clear separation of HTML & JavaScript can be maintained. js framework like jQuery supports this
feature .
example for button click event in jquery : $("#btnClick").click(function() { }
3. If legacy project already had inline JavaScript add script nonce with it, but consider unsafe and reduce ASAP.
4. Avoid use eval statement in JavaScript code.
5. Avoid using setTimeout methods since it internally the eval statement.
6. Always have separate css file means don't use inline styles.
Same origin policy (SOP):
The browser will decide the same origin policy based on 3 parts of
URL
http://www.gnudeveloper.com:80/
Protocol: HTTP
Domain name: www.gnudeveloper.com
Port number: 80
Based on the URL information browser will consider the web page belongs to same origin policy or crossorigin policy
Self: it represents sameorigin policy
scriptsrc 'self' ;
Cross origin policy (COP) or CrossOrigin Resource Sharing (CORS):
It represents content belongs to different origin, opposed to sameorigin policy. By default Firefox browser won't allow crossorigin policy for the web pages since
it will create chance for Crosssite scripting (XSS). To allow all host specify as asterisk character *
scriptsrc * ;
The CSP Violation message can be viewed in the console.
self DIRECTIVE value enforce the source domain(gnudeveloper.com) and image src,script src should be same hence error message as below
Content Security Policy: The page's settings blocked the loading of a resource at infotree.in/themes/bartik/logo.png ("img‐src gnudeveloper.com").
Content Security Policy: The page's settings blocked the loading of a resource at code.jquery.com/jquery‐1.9.1.js ("script‐src gnudeveloper.com 'unsa
Since eval‐script is missing http header response, browser blocked the eval method
call to eval() or related function blocked by CSP
Note: setTimeout will be allowed since it is indirect eval statement