CSP generation.

[amcgregor]

An extension which can collect endpoint-provided hints during dispatch and enforce certain minimums.

Recommendations

• object-src 'none'; by default. Flash is dead. Don't be the one to resurrect it.

• Levels of default security profiles:

  • Open / development mode. Permit everything.
  • Restrictive / diagnostic mode. Deny virtually everything, with log collection.
  • Strict. Disallow most aspects not required for basic site usage, and only permit the "essentials" from self and in-page.
  • Safe. A reasonable set of default policies.

• Allowed resource sources for CSS, JS, and Fonts collectable during request preparation.

Resources

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.4armed.com/blog/how-to-create-content-security-policy/
• https://www.chromium.org/updates/same-site

Sample CSPs

CEGID / Illico Hodes RITA

default-src 'self';
img-src *;
script-src 'self' 'unsafe-inline' unpkg.com www.google-analytics.com;
style-src 'self' 'unsafe-inline' unpkg.com fonts.googleapis.com fonts.gstatic.com;
font-src 'self' fonts.googleapis.com fonts.gstatic.com;
object-src 'none';
connect-src 'self' www.google-analytics.com;

Facebook

default-src * data: blob: 'self';
script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';
style-src data: blob: 'unsafe-inline' *;
connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
upgrade-insecure-requests;
report-uri https://www.facebook.com/csp/reporting/;

LinkedIn

default-src *;
connect-src 'self' https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com https://dpm.demdex.net/id https://lnkd.demdex.net/event blob: static.licdn.com static-exp1.licdn.com static-exp2.licdn.com static-exp3.licdn.com media.licdn.com media-exp1.licdn.com media-exp2.licdn.com media-exp3.licdn.com;
img-src data: blob: *;
font-src data: *;
style-src 'unsafe-inline' 'self' static-src.linkedin.com *.licdn.com;
script-src 'report-sample' 'unsafe-inline' 'unsafe-eval' 'self' spdy.linkedin.com static-src.linkedin.com *.ads.linkedin.com *.licdn.com static.chartbeat.com www.google-analytics.com ssl.google-analytics.com bcvipva02.rightnowtech.com www.bizographics.com sjs.bizographics.com js.bizographics.com d.la4-c1-was.salesforceliveagent.com slideshare.www.linkedin.com https://snap.licdn.com/li.lms-analytics/insight.min.js platform.linkedin.com platform-akam.linkedin.com platform-ecst.linkedin.com platform-azur.linkedin.com;
object-src 'none';
media-src blob: *;
child-src blob: lnkd-communities: voyager: *;
frame-ancestors 'self';
report-uri https://www.linkedin.com/platform-telemetry/csp?f=l