SlideShare ist ein Scribd-Unternehmen logo

W3C Content Security Policy

M
Markus Wichmann

What is Content Security Policy (CSP)? How to deploy it, what it's good for, what it's not good for.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
W3C Content Security Policy 1.0 One measure against web attacks. No less and no more. @m2w2 Markus Wichmann, May 2013
What is CSP about at all? Just some terms: Web Applications Web Application Security Cross-Site Scripting (XSS) XSS Prevention Policy Breach Reporting Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future. @m2w2 Markus Wichmann, May 2013
Agenda W3C Content Security Policy (CSP) The Web without CSP Plain old HTML XSS (Cross-Site Scripting) Enter: CSP CSP Deployment CSP Reporting CSP Limitations Future of CSP How browsers show CSP violation attempts @m2w2 Markus Wichmann, May 2013
The Web... without CSP @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Web Server: Page, Basic JS, Style Sheets Database: Forum CommentsFB plugin G+ button Twitter
XSS (Cross-Site Scripting) Phase 1: Injection Attack. @m2w2 Markus Wichmann, May 2013 Server A Database: Forum entries <html> ... ...Forum Comments... <textarea> </textarea> </html> Hey folks, look at my evil site: http://bla.com/?q=% 3Cscript%3Ealert(% 91This%20is%20an% 20XSS% 20Vulnerability% 92)%3C%2Fscript%3E
XSS Phase 2: The Victim @m2w2 Markus Wichmann, May 2013 <html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ... </html> Server A Database: Forum Comments
XSS Phase 3: Send Victim to Hell – Just one Example @m2w2 Markus Wichmann, May 2013 http://www.evil.lab Evil Scripts, Cookie Stealing, Whatever! <html> <head> ... <script src="...evil.lab..."> </head> <body> <script ...> </body> </html> 1 2 3 4
XSS recap @m2w2 Markus Wichmann, May 2013 Hacker Victim Web Page W W W Infect with evil Script Visit Page Inject Script Do something evil
Enter: CSP Declarative Source Whitelisting „What am I allowed to fetch, and from where?“ @m2w2 Markus Wichmann, May 2013
Our example, revisited: What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter Web Server: Page, Basic JS, Style Sheets
What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T need inline scripts (scripts tags within the body tag)! Web Server: Page, Basic JS, Style Sheets
CSP Deployment Solution: HTTP header Name: Content-Security-Policy* Values: Resource Directives each with a Source List * see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers @m2w2 Markus Wichmann, May 2013
CSP Deployment: Our recent example If you wrote it separately (don't do this, not correct, just for demonstration purposes): Content-Security-Policy: default-src 'self'; Content-Security-Policy: style-src 'self'; Content-Security-Policy: script-src 'self' https://apis.google.com https://platform. twitter.com; Content-Security-Policy: frame-src https: //plusone.google.com https://facebook.com https: //platform.twitter.com; Correct all-in-one notation: Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https: //apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https: //facebook.com https://platform.twitter.com; @m2w2 Markus Wichmann, May 2013 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T want inline scripts = script tags within the body tag!
CSP Directives default-src origin to fall back on if there's no rule that is more specific(e.g. see directives below) style-src origins for CSS stylesheets img-src origins for image files font-src origins to load web-fonts from frame-src origins embeddable into iframes media-src origins of HTML5 audio and video object-src origins of Flash and similar plugins connect-src origins to connect to using XHR, WebSockets, and EventSource @m2w2 Markus Wichmann, May 2013
CSP Source Lists 'none' restrict directive to nothing at all 'self' current origin, but not its subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows JavaScript's eval method http://uri.lab URI to allow, space-separated if multi @m2w2 Markus Wichmann, May 2013
CSP Deployment's effect Attacker finds hole? Bad enough. Attacker injects script? Bad enough. But: If script does not match whitelist, it cannot be executed. Bad enough... for the attacker. @m2w2 Markus Wichmann, May 2013
CSP Reporting Find weak pieces of your code: Let browser report attempted policy breaches! Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser; CSP Violation Attempts are reported to specified URI in JSON format like this: { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis. google.com", "original-policy": "script-src 'self' https://apis. google.com; report-uri http://example. org/csp_report_parser" } } @m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 1/2 Browsers supporting CSP 1.0: Firefox 4–16 partial support, use X-Content-Security-Policy Firefox 17+ seems like full support, use X-Content-Security-Policy Chrome 14+ seems to me like full support IE 10+ very rudimentary support, see http://goo.gl/p5rke Safari 5.1 partial support, use X-WebKit-CSP as header name Safari 6.0+ seems to me like full support iOS 6.0 Safari seems to me like full support Chrome for Android 25+ seems to me like full support Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above @m2w2 Markus Wichmann, May 2013
CSP's limitations (as of May 2013) 2/2 CSP protects users against Most Cross-Site Scripting attacks CSP does NOT protect against: Cross-Site Request Forgery (XSRF/CSRF) Session Riding Cookie Stealing (though this is a bit more difficult with CSP in place) SQL Injection And please use HTTPS wherever possible. HTTP over SSL @m2w2 Markus Wichmann, May 2013
Possible Future of CSP CSP 1.1 currently in draft status (as of 05/2013) Will mainly support more directives script-nonce allow specific(!) inline scripts plugin-types allow specific plugin MIME types form-action specify form action URIs to allow See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental @m2w2 Markus Wichmann, May 2013
How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.) Firefox: Chrome: @m2w2 Markus Wichmann, May 2013
Thanks to all authors of the following pages: http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://en.wikipedia.org/wiki/Cross-site_scripting http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/JSONP https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction http://en.wikipedia.org/wiki/Samy_worm http://maulwuff.de/pws/2012/web20sec/vortrag.html https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/ http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/ https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 https://twitter.com/mikewest/status/268721123145957377 http://people.mozilla.com/~bsterne/content-security-policy/ http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx @m2w2 Markus Wichmann, May 2013
Thank you. @m2w2 Constructive criticism always welcome! Disclaimer: The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides. @m2w2 Markus Wichmann, May 2013

Empfohlen

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jackingn|u - The Open Security Community
 
CSS Mastigado
CSS MastigadoCSS Mastigado
CSS MastigadoMelquisedequeBenvind1
 

Empfohlen

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jackingn|u - The Open Security Community
 
CSS Mastigado
CSS MastigadoCSS Mastigado
CSS MastigadoMelquisedequeBenvind1
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Node.js Express
Node.js ExpressNode.js Express
Node.js ExpressEyal Vardi
 
CSS framework By Palash
CSS framework By PalashCSS framework By Palash
CSS framework By PalashPalashBajpai
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Introduction XSS
Introduction XSSIntroduction XSS
Introduction XSSAymeric Lagier
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Nicola Marae Allain, PhD
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 

Weitere ähnliche Inhalte

Was ist angesagt?

Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Node.js Express
Node.js ExpressNode.js Express
Node.js ExpressEyal Vardi
 
CSS framework By Palash
CSS framework By PalashCSS framework By Palash
CSS framework By PalashPalashBajpai
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template LanguageGabriel Walt
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 

Was ist angesagt? (20)

Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
 
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
AWS와 함께하는 무중단 배포 파이프라인 개선기 - 황성찬 (AUSG) :: AWS Community Day Online 2021
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Node.js Express
Node.js ExpressNode.js Express
Node.js Express
 
CSS framework By Palash
CSS framework By PalashCSS framework By Palash
CSS framework By Palash
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
AEM Sightly Template Language
AEM Sightly Template LanguageAEM Sightly Template Language
AEM Sightly Template Language
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Introduction XSS
Introduction XSSIntroduction XSS
Introduction XSS
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 

Andere mochten auch

Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Nicola Marae Allain, PhD
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyEli Nesterov
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPEli Nesterov
 
Health Development Strategies 2014
Health Development Strategies 2014Health Development Strategies 2014
Health Development Strategies 2014Elevate
 
Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers bis_foresight
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy RUY
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappFrancois Marier
 
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthKing Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthUWGlobalHealth
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
National health policy
National health policyNational health policy
National health policypramod kumar
 
The results are in: how can innovation win?
The results are in: how can innovation win?The results are in: how can innovation win?
The results are in: how can innovation win?Jill Gilbert
 
National health policy
National health policyNational health policy
National health policysoumya deepa
 
Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Jill Gilbert
 
Policy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinPolicy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinWilfredo Ruin
 
Public policy and subsystem politics
Public policy and subsystem politicsPublic policy and subsystem politics
Public policy and subsystem politicstaratoot
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 

Andere mochten auch (20)

Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
Designing Schneier’s Five Step Risk Analysis Process into an Online Role Play...
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Health Development Strategies 2014
Health Development Strategies 2014Health Development Strategies 2014
Health Development Strategies 2014
 
Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers Communicating risk and hazard to policy-makers
Communicating risk and hazard to policy-makers
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public HealthKing Holmes, MD, PhD: Present and Future Challenges in Global Public Health
King Holmes, MD, PhD: Present and Future Challenges in Global Public Health
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
National health policy
National health policyNational health policy
National health policy
 
Hec policy analysis
Hec policy analysisHec policy analysis
Hec policy analysis
 
The results are in: how can innovation win?
The results are in: how can innovation win?The results are in: how can innovation win?
The results are in: how can innovation win?
 
National health policy
National health policyNational health policy
National health policy
 
Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity Global Health the Changes, the Challenges, the Opportunity
Global Health the Changes, the Challenges, the Opportunity
 
Policy Analysis Process by Willy Ruin
Policy Analysis Process by Willy RuinPolicy Analysis Process by Willy Ruin
Policy Analysis Process by Willy Ruin
 
Public policy and subsystem politics
Public policy and subsystem politicsPublic policy and subsystem politics
Public policy and subsystem politics
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 

Ähnlich wie W3C Content Security Policy

Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policychw
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web securityOlatunji Adetunji
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014imelven
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSPMuneaki Nishimura
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Research
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPIsmael Goncalves
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013Bastian Grimm
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 

Ähnlich wie W3C Content Security Policy (20)

Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
10X More Secure with Content Security Policy
10X More Secure with Content Security Policy10X More Secure with Content Security Policy
10X More Secure with Content Security Policy
 
http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014Evolving web security model v1.1 - Portland OWASP May 29 2014
Evolving web security model v1.1 - Portland OWASP May 29 2014
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
Cabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTPCabeçalhos de Segurança HTTP
Cabeçalhos de Segurança HTTP
 
D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013On-Page SEO EXTREME - SEOZone Istanbul 2013
On-Page SEO EXTREME - SEOZone Istanbul 2013
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Csp vortrag
Csp vortragCsp vortrag
Csp vortrag
 

Kürzlich hochgeladen

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 

Kürzlich hochgeladen (20)

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 

W3C Content Security Policy

  • 1. W3C Content Security Policy 1.0 One measure against web attacks. No less and no more. @m2w2 Markus Wichmann, May 2013
  • 2. What is CSP about at all? Just some terms: Web Applications Web Application Security Cross-Site Scripting (XSS) XSS Prevention Policy Breach Reporting Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future. @m2w2 Markus Wichmann, May 2013
  • 3. Agenda W3C Content Security Policy (CSP) The Web without CSP Plain old HTML XSS (Cross-Site Scripting) Enter: CSP CSP Deployment CSP Reporting CSP Limitations Future of CSP How browsers show CSP violation attempts @m2w2 Markus Wichmann, May 2013
  • 4. The Web... without CSP @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Web Server: Page, Basic JS, Style Sheets Database: Forum CommentsFB plugin G+ button Twitter
  • 5. XSS (Cross-Site Scripting) Phase 1: Injection Attack. @m2w2 Markus Wichmann, May 2013 Server A Database: Forum entries <html> ... ...Forum Comments... <textarea> </textarea> </html> Hey folks, look at my evil site: http://bla.com/?q=% 3Cscript%3Ealert(% 91This%20is%20an% 20XSS% 20Vulnerability% 92)%3C%2Fscript%3E
  • 6. XSS Phase 2: The Victim @m2w2 Markus Wichmann, May 2013 <html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ... </html> Server A Database: Forum Comments
  • 7. XSS Phase 3: Send Victim to Hell – Just one Example @m2w2 Markus Wichmann, May 2013 http://www.evil.lab Evil Scripts, Cookie Stealing, Whatever! <html> <head> ... <script src="...evil.lab..."> </head> <body> <script ...> </body> </html> 1 2 3 4
  • 8. XSS recap @m2w2 Markus Wichmann, May 2013 Hacker Victim Web Page W W W Infect with evil Script Visit Page Inject Script Do something evil
  • 9. Enter: CSP Declarative Source Whitelisting „What am I allowed to fetch, and from where?“ @m2w2 Markus Wichmann, May 2013
  • 10. Our example, revisited: What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter Web Server: Page, Basic JS, Style Sheets
  • 11. What do we really need? @m2w2 Markus Wichmann, May 2013 <html> <head> ...import style sheets... ...import JavaScript files... </head> <body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body> </html> Database: Forum Comments FB plugin G+ button Twitter 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T need inline scripts (scripts tags within the body tag)! Web Server: Page, Basic JS, Style Sheets
  • 12. CSP Deployment Solution: HTTP header Name: Content-Security-Policy* Values: Resource Directives each with a Source List * see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers @m2w2 Markus Wichmann, May 2013
  • 13. CSP Deployment: Our recent example If you wrote it separately (don't do this, not correct, just for demonstration purposes): Content-Security-Policy: default-src 'self'; Content-Security-Policy: style-src 'self'; Content-Security-Policy: script-src 'self' https://apis.google.com https://platform. twitter.com; Content-Security-Policy: frame-src https: //plusone.google.com https://facebook.com https: //platform.twitter.com; Correct all-in-one notation: Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https: //apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https: //facebook.com https://platform.twitter.com; @m2w2 Markus Wichmann, May 2013 1. Style Sheets from our own Web Server 2. JavaScript from our own Web Server 3. JavaScript from apis. google.com 4. iframe content from plusone.google.com 5. iframe content from facebook.com 6. JavaScript from platform.twitter.com 7. iframe content from platform.twitter.com We DON'T want inline scripts = script tags within the body tag!
  • 14. CSP Directives default-src origin to fall back on if there's no rule that is more specific(e.g. see directives below) style-src origins for CSS stylesheets img-src origins for image files font-src origins to load web-fonts from frame-src origins embeddable into iframes media-src origins of HTML5 audio and video object-src origins of Flash and similar plugins connect-src origins to connect to using XHR, WebSockets, and EventSource @m2w2 Markus Wichmann, May 2013
  • 15. CSP Source Lists 'none' restrict directive to nothing at all 'self' current origin, but not its subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows JavaScript's eval method http://uri.lab URI to allow, space-separated if multi @m2w2 Markus Wichmann, May 2013
  • 16. CSP Deployment's effect Attacker finds hole? Bad enough. Attacker injects script? Bad enough. But: If script does not match whitelist, it cannot be executed. Bad enough... for the attacker. @m2w2 Markus Wichmann, May 2013
  • 17. CSP Reporting Find weak pieces of your code: Let browser report attempted policy breaches! Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser; CSP Violation Attempts are reported to specified URI in JSON format like this: { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis. google.com", "original-policy": "script-src 'self' https://apis. google.com; report-uri http://example. org/csp_report_parser" } } @m2w2 Markus Wichmann, May 2013
  • 18. CSP's limitations (as of May 2013) 1/2 Browsers supporting CSP 1.0: Firefox 4–16 partial support, use X-Content-Security-Policy Firefox 17+ seems like full support, use X-Content-Security-Policy Chrome 14+ seems to me like full support IE 10+ very rudimentary support, see http://goo.gl/p5rke Safari 5.1 partial support, use X-WebKit-CSP as header name Safari 6.0+ seems to me like full support iOS 6.0 Safari seems to me like full support Chrome for Android 25+ seems to me like full support Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above @m2w2 Markus Wichmann, May 2013
  • 19. CSP's limitations (as of May 2013) 2/2 CSP protects users against Most Cross-Site Scripting attacks CSP does NOT protect against: Cross-Site Request Forgery (XSRF/CSRF) Session Riding Cookie Stealing (though this is a bit more difficult with CSP in place) SQL Injection And please use HTTPS wherever possible. HTTP over SSL @m2w2 Markus Wichmann, May 2013
  • 20. Possible Future of CSP CSP 1.1 currently in draft status (as of 05/2013) Will mainly support more directives script-nonce allow specific(!) inline scripts plugin-types allow specific plugin MIME types form-action specify form action URIs to allow See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental @m2w2 Markus Wichmann, May 2013
  • 21. How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.) Firefox: Chrome: @m2w2 Markus Wichmann, May 2013
  • 22. Thanks to all authors of the following pages: http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental http://www.html5rocks.com/en/tutorials/security/content-security-policy/ http://en.wikipedia.org/wiki/Cross-site_scripting http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/JSONP https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction http://en.wikipedia.org/wiki/Samy_worm http://maulwuff.de/pws/2012/web20sec/vortrag.html https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/ http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/ https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 https://twitter.com/mikewest/status/268721123145957377 http://people.mozilla.com/~bsterne/content-security-policy/ http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5 http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx @m2w2 Markus Wichmann, May 2013
  • 23. Thank you. @m2w2 Constructive criticism always welcome! Disclaimer: The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides. @m2w2 Markus Wichmann, May 2013