I'm testing and using CSP (Content Security Policy), and here are some thoughts, resources, scripts and ideas on it.
In folder "report-uri", you may find examples of CSP parsers you can use for report-uri.
In folder "CSP for third party services", you may find examples of directives you need to use for some services.
In folder "csp-check", you may find the source of a proof of concept: this script was a quick and dirty way to reproduce a bug in Firefox, you can see it in action here: https://csp.nicolas-hoffmann.net/
Basically, the page generates an unique id, notifications sent to report-uri are put in database, the page makes an AJAX call to database, and the unique id helps to find CSP errors in database.
This is useful to prove bugs, not only for Firefox. ^^
To reproduce the bug:
At the beginning, I've made it to prove that some Chrome extensions are sending notifications to report-uri (while they should not), and it helped to find/prove a bug in Firefox Inspector.
Here is the reported bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1195302
It should be is fixed with Firefox 42 https://bugzilla.mozilla.org/show_bug.cgi?id=1185351 :)
In folder "CSP WTF", you may find examples of strange notifications you may receive. Feel free to add/explain some.
Now the list is splitted in two, explained or not yet explained notifications.
Be careful if you have multiple domain names (foo.com, foo.net) pointing to a single website while using 'self'
as value. Example: if a user is using a full url for an image, let's say http://foo.com/image.jpg
, using 'self'
won't be enough if the user is on foo.net. Be sure to allow all necessary domains.
If you really have to use some inline scripts/css, for example:
<script>alert('Hello, world.');</script>
You might add 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='
as valid source in your script-src
directives. The hash generated is the result of:
base64_encode(hash('sha256', "alert('Hello, world.');", true))
in PHP for example.
According to Philippe De Ryck, setting CSP's object-src
to 'none'
blocks Chrome's PDF viewer. As he says, "unless you're hosting vulnerable flash files yourself, go with 'self', and ignore the warning on the CSP Evaluator".
According to, Safari’s default media controls get blocked when applying a Content-Security-Policy, see https://www.ctrl.blog/entry/safari-csp-media-controls (hint, allow img-src
).
I use CSP to clean up some bad old contents (with inline-styles for example).
Moreother, if you don't have the time to clean it, setting up CSP policy will avoid bad old styles from breaking the nice/clean new design. Or it will tell you when contributors are doing shit on the website.
You might read how the Guardian moved to HTTPS using CSP: https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https
As far as I can see, using CSP on my jQuery plugins helped me a lot to design them without inline styles/js. See for example: https://a11y.nicolas-hoffmann.net/ or https://van11y.net
So it is a great help for progressive enhancement, orthogonality and clean front-end.
For Firefox: make Maj+F2 and type "security csp". It will show you directives and advices.
If you have webdevelopper toolbar, go into infos - HTTP headers.
JS/jQuery plugins should provide the CSP requirements they need to work (especially inline-styles or inline-js), so:
EDIT: an initiative has been set up by WebReflection to display CSP badges for your plugins/libraries.
upgrade-insecure-requests; block-all-mixed-content
, bugs on Chrome 615885, 617584video
tag, reported here)Enjoy!