Content Security Policy

Content Security Policy (CSP) is security mechanism aimed at protecting from XSS and Clickjacking attacks. CSP allows you to specify trusted origins of loading resources such as Javascript, fonts, CSS and others. And also ban the execution of the built-in Javascript code.

Description

One of the reasons for the occurrence of XSS attacks is that the browser can not distinguish the trusted site resource (Javascript, Font and others) from being injected by an attacker. By default, web browser executes all the code encountered on the page.

Content Security Policy is the standard defining HTTP headers Content-Security-Policy и Content-Security-Policy-Report-Only, informing web browser about trusted list of origins from which it is allowed to download resources.

For example, a website uses the jQuery library from the origin code.jquery.com and trusts this code. On this time, the site does not trust all other origins. You can send this information to web browser using Content Security Policy.

Most modern web browsers support CSP.

Header Content-Security-Policy

CSP has several standards, we will consider the version 2.0. This standard supports the following directives

Directive Description
default-src Defines the allowed origins (protocol, domain, port) by default for other directives. If any directive is not specified in the header, then policy is taken from the default-src.
script-src Defines the allowed list of Javascript origin files
object-src Defines the allowed origin list for loading plug-ins such as, Flash, Java, and others. The value extends to tags <object>, <embed>, <applet>
style-src Defines the allowed list of origins for loading CSS files
img-src Defines the allowed origin list for uploading pictures
media-src Determines the allowed origin list for uploading videos <video> and audio <audio>
child-src Defines the allowed origin list for embedded pages iframe and Web workers
font-src Defines the allowed origin list for loading fonts
connect-src Defines the allowed list of origins to which you can connect (XHR, WebSockets and EventSource)
form-action Defines the allowed origin list for the tag action attribute <form>
frame-ancestors Defines an allowed list of origins that can embed website through tags <iframe>, <object>, <embed>, <applet>
plugin-types Defines MIME types for plug-ins built-in through tags <object>, <embed>
report-uri The address where the JSON-reports about CSP failures will be sent by the browser

The values of the directives

The value of each directive except report-uri and plugin-types, is a set of sources separated by a space. The following header allows Javascript to be loaded for Google Analytics and Google AJAX: Content-Security-Policy: script-src www.google-analytics.com ajax.googleapis.com;. In addition, at each position there can be a symbol * (wildcard) which allows any value. Directives are separated by a semicolon.

There are four special values for directives:

  • 'none' - all origins are prohibited
  • 'self' - only the current origin is allowed
  • 'unsafe-inline' - the directive applies only to script-src and style-src. Allows the use of built-in JS and CSS on the page (<script>code...</script>). And also for the script-src directive, it allows embedded event handlers onclick="Javascript code".
  • 'unsafe-eval' - the directive is applicable only to script-src, and allows any code generation such eval, new Function and others.
Examples of values of directives
Values Description
img-src * Allows uploading images from any origins
object-src 'none'; frame-src 'none' Prevent loading plug-ins (Flash, Java) and iframe
media-src https://* Allows uploading video and audio only over the HTTPS protocol
script-src 'self' *.trusted.com Allows you to load Javascript from the current origin and any protocol and trusted.com subdomain

Policy Failures Reports

CSP allows you to specify the address where POST HTTP requests for policy failures will be sent. This feature helps to identify cases of violations, as well as to find errors in the description of the policy.

Content-Security-Policy: script-src 'self' https://apis.google.com; report-uri http://site.com/csp/report

For developers to describe a policy is not an easy task, and at the initial stage of implementation many things can not be taken into account. Therefore, CSP debugging is provided with a header Content-Security-Policy-Report-Only. The header has the same meaning as Content-Security-Policy, but does not apply any restrictions. This makes it possible to receive reports and not create inconvenience to website users. You can also specify both headers together.

Example of CSP report
{
    "csp-report": {
        "document-uri": "http://site.com/page.html",
        "referrer": "http://evil.com/",
        "blocked-uri": "http://evil.com/xss.js",
        "violated-directive": "script-src 'self' https://apis.google.com",
        "original-policy": "script-src 'self' https://apis.google.com; report-uri http://site.com/csp/report"
    }
}

Built-in Javascript

The main idea CSP is lists of trusted sources of resource loading, but lists can not protect against built-in Javascript in cases when an attacker succeeds in embedding the following code on the page <script>document.body.innerHTML = "Phishing Content"</script>. CSP solves this problem by completely banning the execution of built-in Javascript, as well as built-in event handlers (onclick="Javascript code") and Javascript on tags <a href="javascript:...". It is not recommended to specify script-src 'unsafe-inline' to cancel this policy, as there is a lot of scope for XSS attacks.

  Subresource Integrity →