SlideShare a Scribd company logo

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Oliver Hader
Oliver Hader

Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling. This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy. Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561

Technology
1 of 48
Download to read offline
Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org
thanks! questions? 48

Recommended

Collaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorchCollaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorchValentin Nagacevschi
 
Knowledge graphs for knowing more and knowing for sure
Knowledge graphs for knowing more and knowing for sureKnowledge graphs for knowing more and knowing for sure
Knowledge graphs for knowing more and knowing for sureSteffen Staab
 
Data Science. Intro
Data Science. IntroData Science. Intro
Data Science. IntroSeongyun Byeon
 
Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...
Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...
Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...📊 Markus Baersch
 
ASO Audit with yellowHEAD - How to Rank at the Top
ASO Audit with yellowHEAD - How to Rank at the TopASO Audit with yellowHEAD - How to Rank at the Top
ASO Audit with yellowHEAD - How to Rank at the TopPinar Guler
 
Homepage Personalization at Spotify
Homepage Personalization at SpotifyHomepage Personalization at Spotify
Homepage Personalization at SpotifyOguz Semerci
 
Splunk 교육자료 v1.2
Splunk 교육자료 v1.2Splunk 교육자료 v1.2
Splunk 교육자료 v1.2JunMyoung(준명) Youn(연)
 
Seo strategie
Seo strategieSeo strategie
Seo strategieCoumbaCommunication
 

Recommended

Collaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorchCollaborative Recommender System for Music using PyTorch
Collaborative Recommender System for Music using PyTorchValentin Nagacevschi
 
Knowledge graphs for knowing more and knowing for sure
Knowledge graphs for knowing more and knowing for sureKnowledge graphs for knowing more and knowing for sure
Knowledge graphs for knowing more and knowing for sureSteffen Staab
 
Data Science. Intro
Data Science. IntroData Science. Intro
Data Science. IntroSeongyun Byeon
 
Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...
Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...
Google Analytics 4 : 10 Stolperfallen, 10 Verbesserungen + 5 Tipps [Campixx 2...📊 Markus Baersch
 
ASO Audit with yellowHEAD - How to Rank at the Top
ASO Audit with yellowHEAD - How to Rank at the TopASO Audit with yellowHEAD - How to Rank at the Top
ASO Audit with yellowHEAD - How to Rank at the TopPinar Guler
 
Homepage Personalization at Spotify
Homepage Personalization at SpotifyHomepage Personalization at Spotify
Homepage Personalization at SpotifyOguz Semerci
 
Splunk 교육자료 v1.2
Splunk 교육자료 v1.2Splunk 교육자료 v1.2
Splunk 교육자료 v1.2JunMyoung(준명) Youn(연)
 
Seo strategie
Seo strategieSeo strategie
Seo strategieCoumbaCommunication
 
Building Scalable and Personalized News Feed
Building Scalable and Personalized News FeedBuilding Scalable and Personalized News Feed
Building Scalable and Personalized News FeedEyal Ronel
 
An introduction to Recommender Systems
An introduction to Recommender SystemsAn introduction to Recommender Systems
An introduction to Recommender SystemsDavid Zibriczky
 
How to unlock the secrets of effortless keyword research with ChatGPT.pptx
How to unlock the secrets of effortless keyword research with ChatGPT.pptxHow to unlock the secrets of effortless keyword research with ChatGPT.pptx
How to unlock the secrets of effortless keyword research with ChatGPT.pptxDaniel Smullen
 
Engagement, Metrics & Personalisation at Scale
Engagement, Metrics & Personalisation at ScaleEngagement, Metrics & Personalisation at Scale
Engagement, Metrics & Personalisation at ScaleMounia Lalmas-Roelleke
 
Tendances SEO 2027 - SEO Square - Laura Blanchard
Tendances SEO 2027 - SEO Square - Laura BlanchardTendances SEO 2027 - SEO Square - Laura Blanchard
Tendances SEO 2027 - SEO Square - Laura BlanchardLaura Blanchard - Agence KHOSI
 
Amplitude Behavioral Cohorts Deep Dive
Amplitude Behavioral Cohorts Deep DiveAmplitude Behavioral Cohorts Deep Dive
Amplitude Behavioral Cohorts Deep DiveAmplitude
 
Recommender Systems
Recommender SystemsRecommender Systems
Recommender SystemsCarlos Castillo (ChaTo)
 
Collaborative Filtering with Spark
Collaborative Filtering with SparkCollaborative Filtering with Spark
Collaborative Filtering with SparkChris Johnson
 
Uses of ChatGPT in Marketing
Uses of ChatGPT in MarketingUses of ChatGPT in Marketing
Uses of ChatGPT in MarketingJoseArrunategui3
 
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptxDavid Groult
 
Recommender systems
Recommender systemsRecommender systems
Recommender systemsTamer Rezk
 
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...Sease
 
Recommending and Searching (Research @ Spotify)
Recommending and Searching (Research @ Spotify)Recommending and Searching (Research @ Spotify)
Recommending and Searching (Research @ Spotify)Mounia Lalmas-Roelleke
 
Qu'est-ce que le SEO ?
Qu'est-ce que le SEO ?Qu'est-ce que le SEO ?
Qu'est-ce que le SEO ?agencecsv
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE
 
Recommendation System Explained
Recommendation System ExplainedRecommendation System Explained
Recommendation System ExplainedCrossing Minds
 
Falling in and out and in love with Information Architecture
Falling in and out and in love with Information ArchitectureFalling in and out and in love with Information Architecture
Falling in and out and in love with Information ArchitectureLouis Rosenfeld
 
Mastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
Mastermind Masterclass:A CEO's Guide to Marketing with Dave KelloggMastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
Mastermind Masterclass:A CEO's Guide to Marketing with Dave Kelloggsaastr
 
Behemoth SEO: Search Strategy for Huge Websites
Behemoth SEO: Search Strategy for Huge WebsitesBehemoth SEO: Search Strategy for Huge Websites
Behemoth SEO: Search Strategy for Huge WebsitesPhilipp Klöckner
 
10분만에 익히는 Jupyter Notebook :)
10분만에 익히는 Jupyter Notebook :)10분만에 익히는 Jupyter Notebook :)
10분만에 익히는 Jupyter Notebook :)Seongyun Byeon
 
Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Oliver Hader
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 

More Related Content

What's hot

Building Scalable and Personalized News Feed
Building Scalable and Personalized News FeedBuilding Scalable and Personalized News Feed
Building Scalable and Personalized News FeedEyal Ronel
 
An introduction to Recommender Systems
An introduction to Recommender SystemsAn introduction to Recommender Systems
An introduction to Recommender SystemsDavid Zibriczky
 
How to unlock the secrets of effortless keyword research with ChatGPT.pptx
How to unlock the secrets of effortless keyword research with ChatGPT.pptxHow to unlock the secrets of effortless keyword research with ChatGPT.pptx
How to unlock the secrets of effortless keyword research with ChatGPT.pptxDaniel Smullen
 
Engagement, Metrics & Personalisation at Scale
Engagement, Metrics & Personalisation at ScaleEngagement, Metrics & Personalisation at Scale
Engagement, Metrics & Personalisation at ScaleMounia Lalmas-Roelleke
 
Amplitude Behavioral Cohorts Deep Dive
Amplitude Behavioral Cohorts Deep DiveAmplitude Behavioral Cohorts Deep Dive
Amplitude Behavioral Cohorts Deep DiveAmplitude
 
Collaborative Filtering with Spark
Collaborative Filtering with SparkCollaborative Filtering with Spark
Collaborative Filtering with SparkChris Johnson
 
Uses of ChatGPT in Marketing
Uses of ChatGPT in MarketingUses of ChatGPT in Marketing
Uses of ChatGPT in MarketingJoseArrunategui3
 
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptxDavid Groult
 
Recommender systems
Recommender systemsRecommender systems
Recommender systemsTamer Rezk
 
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...Sease
 
Recommending and Searching (Research @ Spotify)
Recommending and Searching (Research @ Spotify)Recommending and Searching (Research @ Spotify)
Recommending and Searching (Research @ Spotify)Mounia Lalmas-Roelleke
 
Qu'est-ce que le SEO ?
Qu'est-ce que le SEO ?Qu'est-ce que le SEO ?
Qu'est-ce que le SEO ?agencecsv
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE
 
Recommendation System Explained
Recommendation System ExplainedRecommendation System Explained
Recommendation System ExplainedCrossing Minds
 
Falling in and out and in love with Information Architecture
Falling in and out and in love with Information ArchitectureFalling in and out and in love with Information Architecture
Falling in and out and in love with Information ArchitectureLouis Rosenfeld
 
Mastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
Mastermind Masterclass:A CEO's Guide to Marketing with Dave KelloggMastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
Mastermind Masterclass:A CEO's Guide to Marketing with Dave Kelloggsaastr
 
Behemoth SEO: Search Strategy for Huge Websites
Behemoth SEO: Search Strategy for Huge WebsitesBehemoth SEO: Search Strategy for Huge Websites
Behemoth SEO: Search Strategy for Huge WebsitesPhilipp Klöckner
 
10분만에 익히는 Jupyter Notebook :)
10분만에 익히는 Jupyter Notebook :)10분만에 익히는 Jupyter Notebook :)
10분만에 익히는 Jupyter Notebook :)Seongyun Byeon
 

What's hot (20)

Building Scalable and Personalized News Feed
Building Scalable and Personalized News FeedBuilding Scalable and Personalized News Feed
Building Scalable and Personalized News Feed
 
An introduction to Recommender Systems
An introduction to Recommender SystemsAn introduction to Recommender Systems
An introduction to Recommender Systems
 
How to unlock the secrets of effortless keyword research with ChatGPT.pptx
How to unlock the secrets of effortless keyword research with ChatGPT.pptxHow to unlock the secrets of effortless keyword research with ChatGPT.pptx
How to unlock the secrets of effortless keyword research with ChatGPT.pptx
 
Engagement, Metrics & Personalisation at Scale
Engagement, Metrics & Personalisation at ScaleEngagement, Metrics & Personalisation at Scale
Engagement, Metrics & Personalisation at Scale
 
Tendances SEO 2027 - SEO Square - Laura Blanchard
Tendances SEO 2027 - SEO Square - Laura BlanchardTendances SEO 2027 - SEO Square - Laura Blanchard
Tendances SEO 2027 - SEO Square - Laura Blanchard
 
Amplitude Behavioral Cohorts Deep Dive
Amplitude Behavioral Cohorts Deep DiveAmplitude Behavioral Cohorts Deep Dive
Amplitude Behavioral Cohorts Deep Dive
 
Recommender Systems
Recommender SystemsRecommender Systems
Recommender Systems
 
Collaborative Filtering with Spark
Collaborative Filtering with SparkCollaborative Filtering with Spark
Collaborative Filtering with Spark
 
Uses of ChatGPT in Marketing
Uses of ChatGPT in MarketingUses of ChatGPT in Marketing
Uses of ChatGPT in Marketing
 
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
20220328_-_Web_Island_-_SEO_Horrors_Stories.pptx
 
Recommender systems
Recommender systemsRecommender systems
Recommender systems
 
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
Evaluating Your Learning to Rank Model: Dos and Don’ts in Offline/Online Eval...
 
Recommending and Searching (Research @ Spotify)
Recommending and Searching (Research @ Spotify)Recommending and Searching (Research @ Spotify)
Recommending and Searching (Research @ Spotify)
 
Qu'est-ce que le SEO ?
Qu'est-ce que le SEO ?Qu'est-ce que le SEO ?
Qu'est-ce que le SEO ?
 
FIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LDFIWARE Training: JSON-LD and NGSI-LD
FIWARE Training: JSON-LD and NGSI-LD
 
Recommendation System Explained
Recommendation System ExplainedRecommendation System Explained
Recommendation System Explained
 
Falling in and out and in love with Information Architecture
Falling in and out and in love with Information ArchitectureFalling in and out and in love with Information Architecture
Falling in and out and in love with Information Architecture
 
Mastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
Mastermind Masterclass:A CEO's Guide to Marketing with Dave KelloggMastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
Mastermind Masterclass:A CEO's Guide to Marketing with Dave Kellogg
 
Behemoth SEO: Search Strategy for Huge Websites
Behemoth SEO: Search Strategy for Huge WebsitesBehemoth SEO: Search Strategy for Huge Websites
Behemoth SEO: Search Strategy for Huge Websites
 
10분만에 익히는 Jupyter Notebook :)
10분만에 익히는 Jupyter Notebook :)10분만에 익히는 Jupyter Notebook :)
10분만에 익히는 Jupyter Notebook :)
 

Similar to T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Oliver Hader
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Oliver Hader
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfInfosec Train
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsOliver Hader
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor CaliforniumStéphane Maldini
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarRobert Crane
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Richard Platt
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniVMware Tanzu
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Abhik Roychoudhury
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeVMware Tanzu
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsVMware Tanzu
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinChristian Deger
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott AndrewsVMware Tanzu
 

Similar to T3DD23 Content Security Policy - Concept, Strategies & Pitfalls (20)

Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)Web Application Security Workshop (T3DD19)
Web Application Security Workshop (T3DD19)
 
Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)Hacking TYPO3 v9 (T3DD19 edition)
Hacking TYPO3 v9 (T3DD19 edition)
 
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdfCloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
Cloud Security Engineer Skills, Roles Responsibilities Salary Trends.pdf
 
SAST für TYPO3 Extensions
SAST für TYPO3 ExtensionsSAST für TYPO3 Extensions
SAST für TYPO3 Extensions
 
What's new in Reactor Californium
What's new in Reactor CaliforniumWhat's new in Reactor Californium
What's new in Reactor Californium
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
 
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
Aviation Aerospace & Defense industry TRIZ Case Studies - An Overview
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
 
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)CYBER SECURITY WORKSHOP (Only For Educational Purpose)
CYBER SECURITY WORKSHOP (Only For Educational Purpose)
 
Spring Cloud Gateway
Spring Cloud GatewaySpring Cloud Gateway
Spring Cloud Gateway
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
S1P: Spring Cloud on PKS
S1P: Spring Cloud on PKSS1P: Spring Cloud on PKS
S1P: Spring Cloud on PKS
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
 
Building Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with GeodeBuilding Data Environments for Production Microservices with Geode
Building Data Environments for Production Microservices with Geode
 
Securing Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime TherapeuticsSecuring Pivotal Platform at Prime Therapeutics
Securing Pivotal Platform at Prime Therapeutics
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
 
riffing on Knative - Scott Andrews
riffing on Knative - Scott Andrewsriffing on Knative - Scott Andrews
riffing on Knative - Scott Andrews
 

More from Oliver Hader

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)Oliver Hader
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event SourcingOliver Hader
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityOliver Hader
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage DevelopmentOliver Hader
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Oliver Hader
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSOliver Hader
 
Web application security
Web application securityWeb application security
Web application securityOliver Hader
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMSOliver Hader
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamOliver Hader
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0Oliver Hader
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)Oliver Hader
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7Oliver Hader
 

More from Oliver Hader (15)

Hacking TYPO3 v9
Hacking TYPO3 v9Hacking TYPO3 v9
Hacking TYPO3 v9
 
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"
 
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)
 
TYPO3 Event Sourcing
TYPO3 Event SourcingTYPO3 Event Sourcing
TYPO3 Event Sourcing
 
H4CK1N6 - Web Application Security
H4CK1N6 - Web Application SecurityH4CK1N6 - Web Application Security
H4CK1N6 - Web Application Security
 
TYPO3 Backstage Development
TYPO3 Backstage DevelopmentTYPO3 Backstage Development
TYPO3 Backstage Development
 
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...
 
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSWebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS
 
Web Components
Web ComponentsWeb Components
Web Components
 
Web application security
Web application securityWeb application security
Web application security
 
Contribute to TYPO3 CMS
Contribute to TYPO3 CMSContribute to TYPO3 CMS
Contribute to TYPO3 CMS
 
T3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS TeamT3CON13DE - TYPO3 CMS Team
T3CON13DE - TYPO3 CMS Team
 
TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0TYPO3camp Regensburg: TYPO3 6.0
TYPO3camp Regensburg: TYPO3 6.0
 
TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)TYPO3 Inline Relational Record Editing (IRRE)
TYPO3 Inline Relational Record Editing (IRRE)
 
TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7TYPO3 4.6 & TYPO3 4.7
TYPO3 4.6 & TYPO3 4.7
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

  • 1. Content-Security-Policy Concept, Strategies, Pitfalls Oliver Hader oliver@typo3.org @ohader TYPO3 Developer Days 2023 August 4th, 2023
  • 2. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 2 ▪Research & Development ▪TYPO3 Security Team Lead ▪50% TYPO3 GmbH / 50% Freelancer ▪#hof #cycling #paramedic #in.die.musik ~# whoami Oliver Hader @ohader
  • 3. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 3 ▪ Why? ▪ Concept Introduction to Content-Security-Policy ▪ Pitfalls Examples and CSP in Action ▪ Strategies Content-Security-Policy in TYPO3 v12+ Agenda
  • 4. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? cause matters 4
  • 5. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 5 ▪ please, don’t publish security vulnerabilities to public channels ▪ not on GitHub/Forge ▪ not in Slack channels ▪ not on Twitter, ... ▪ report to security@typo3.org ▪ security team supports community Trigger Warning ⚠︎
  • 6. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Why? 6 ▪ cross-site scripting & privacy concerns ▪ 2018-2023: 34 XSS vulnerabilities in TYPO3 CMS ▪ script execution / remote control via JavaScript (in the scope & with the permissions of the victim) ▪ trigger download of executable applications ▪ extract users’ details (location, IP address, session data, …) ▪ <script> | <img src=“~” onerror=“…”> | <iframe> | <style> | …
  • 7. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 7 Video <script>
  • 8. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 8 Video <link rel=“stylesheet”>
  • 9. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Concept Content-Security- Policy 9
  • 10. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 10 Content-Security-Policy as meta tag or HTTP header (preferred) Content-Security-Policy (CSP)
  • 11. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Content-Security-Policy (CSP) 11 ▪ default-src ▪ img-src ▪ child-src ▪ frame-src ▪ script-src | style-src ▪ sandbox ▪ *-src ▪ ’none’ ▪ ’self’ ▪ *.example.org ▪ https://example.org ▪ https: | data: ▪ [script|style]-src ▪ ’unsafe-eval’ ▪ ’unsafe-inline’ ▪ ’nonce-…’ ▪ ’strict-dynamic’ directive source source
  • 12. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 12 docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content-Security-Policy (CSP)
  • 13. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 13 script-src (CSP2) vs. script-src, script-src-elem, script-src-attr (CSP3) Content-Security-Policy (CSP) - Examples example.org ‘unsafe-inline’ script-src-elem … ‘unsafe-eval’ ‘unsafe-inline’ ‘unsafe-hashes’ script-src-elem script-src-attr script-src-elem 1 2 3 4
  • 14. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 14 style-src (CSP2) vs. style-src, style-src-elem, style-src-attr (CSP3) Content-Security-Policy (CSP) - Examples style-src-elem style-src-elem style-src-attr example.org ‘unsafe-inline’ ‘unsafe-inline’ 1 2 3
  • 15. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 15 Support of CSP Level 3 script-src-elem - Apple: “nope” Content-Security-Policy (CSP)
  • 16. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 16 button clicked, script execution blocked Content-Security-Policy (CSP) - onclick example
  • 17. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 17 button clicked, ‘unsafe-inline’ script executed Content-Security-Policy (CSP) - onclick example
  • 18. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 18 button clicked, ‘unsafe-hashes’ script executed Content-Security-Policy (CSP) - onclick example
  • 19. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 19 HTML on typo3v12, loads from hacko3v12, loads from other3v12 Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js
  • 20. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 20 loaded from typo3v12, hacko3v12, other3v12, blocked eval Content-Security-Policy (CSP) - external scripts example
  • 21. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 21 allow loading all scripts via ‘strict-dynamic’ when nonce is given Content-Security-Policy (CSP) - external scripts example
  • 22. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 22 ‘strict-dynamic’ works when using DOM-API ✅ - denied for “parser-inserted” script ❌ Content-Security-Policy (CSP) - external scripts example on https://typo3v12.ddev.site/… https://hacko3v12.ddev.site/static/cross-script.js ✅ ❌ ✅
  • 23. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 23 Support of CSP Level 3 strict-dynamic - Apple: “yepp” Content-Security-Policy (CSP)
  • 24. Content-Security-Policy (CSP) - CSP Simulator ▪ github.com/ohader/csp-simulator ▪ Content-Security-Policy Simulator ▪ HTTP man-in-the-middle proxy ▪ for arbitrary websites 24 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 25. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Strategies The TYPO3 POV 25
  • 26. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org TYPO3 and CSP 26 ▪ general: prevention & detection strategy ▪ provide tools/APIs, suggestions, advisories ▪ Content-Security-Policy to mitigate XSS vulnerabilities ▪ with TYPO3 v12: available, but not enforced ▪ with TYPO3 v13: plans, to enable CSP per default ▪ listen & incorporate community feedback & experience
  • 27. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 27 Dedicated feature flag scopes (backend, frontend, frontend & site) TYPO3 and CSP
  • 28. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 28 Excerpt of CSP “Policy” models, directives, sources, … TYPO3 and CSP
  • 29. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 29 Static CSP declaration for extensions in PHP or site config TYPO3 and CSP
  • 30. TYPO3 and CSP ▪ “nonce” = number used once(!) (must be random, not predictable) ▪ nonce value added automatically for static(!) files in PageRender ▪ nonce value added for inline scripts and styles when explicitly requested, in PageRenderer and AssetCollector ▪ (incl. Fluid view helpers) 30 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 31. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 31 CSP reporting backend module TYPO3 and CSP
  • 32. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 32 CSP reporting backend module & applying “resolutions” TYPO3 and CSP
  • 33. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 33 Individual CSP violation handlers, suggesting “resolutions” TYPO3 and CSP
  • 34. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 34 CSP HTTP header for backend requests TYPO3 and CSP
  • 35. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 35 Manually triggered CSP violation (eval) TYPO3 and CSP
  • 36. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 36 CSP violation sent back to TYPO3 reporting endpoint TYPO3 and CSP
  • 37. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 37 CSP violation sent back to TYPO3 reporting endpoint
  • 38. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Pitfalls observations 38
  • 39. Pitfalls ▪ […] ’unsafe-inline’ is ignored if either a hash or nonce value is present […] ▪ same for style-src ▪ (TYPO3 is prepared to add nonce values everywhere*) 39 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 40. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org 40 Google’s Suggestion on Integrating Google Maps Pitfalls ❌ CSP Level 3 CSP Level 2
  • 41. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 41 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 42. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 42 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 43. Pitfalls ▪ false-positive reports ▪ caused by browser plugins ▪ can use own scheme, e.g. ▪ moz-extension: ▪ safari-extension: 43 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 44. Pitfalls ▪ Google Translate proxies site ▪ request was actually blocked 44 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 45. Pitfalls ▪ something™ changes base-uri ▪ <base href=“https://h4ck3r.org”> ▪ CSP: base-uri ‘none’ | ‘self’ 45 TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org
  • 46. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 46
  • 47. TYPO3 Developer Days 2023 - Content-Security-Policy - oliver.hader@typo3.org Conclusion? 47 ▪ unfinished CSP Level 3 (draft) vs CSP Level 2 (2016) ▪ painful backward compatibility & open questions ▪ somewhere in between max. convenience & max. security ▪ please enable CSP in TYPO3 v12 (backend, maybe frontend) ▪ report your findings & feedback to https://forge.typo3.org