surfmuggle / Cubert

To become a jedi one must start as a novice
BSD 3-Clause "New" or "Revised" License
2 stars 0 forks source link

CSP - Content Security Policy - Level 2 (2016 TR) or 3 (2018 WD) #18

Open surfmuggle opened 4 years ago

surfmuggle commented 4 years ago

Content Security Policy can improve the secuirty of a page.

  1. https://www.w3.org/TR/html52/document-metadata.html#element-attrdef-style-nonce
  2. Recommendation 2016 CSP 2 https://www.w3.org/TR/CSP2/
  3. Working Draft 2018 https://www.w3.org/TR/CSP3/

From the introduction of CSP2

This document defines Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.

To mitigate XSS attacks, for example, a web application can declare that it only expects to load script from specific, trusted sources. This declaration allows the client to detect and block malicious scripts injected into the application by an attacker.

Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks. As a first line of defense against content injection, server operators should validate their input and encode their output.

There is often a non-trivial amount of work required to apply CSP to an existing web application. To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.

To take advantage of CSP, a web application opts into using CSP by supplying a Content-Security-Policy HTTP header. Such policies apply to the current resource representation only. To supply a policy for an entire site, the server needs to supply a policy with each resource representation.

surfmuggle commented 4 years ago

Added intro text