📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • XSS prevention: Content security policy
  • Specifying a Content Security Policy
  • Directives
  • connect-src
  • default-src
  • font-src
  • frame-src
  • img-src
  • media-src
  • script-src
  • style-src
  • form-action
  • frame-ancestors
  • navigate-to
  • Values
  • Source attribution

Was this helpful?

  1. Injection attacks
  2. Cross-site scripting

Content Security Policy

PreviousAbout the HttpOnly flagNextSubresource integrity

Last updated 1 year ago

Was this helpful?

XSS prevention: Content security policy

As we've seen in the previous sections, protecting against XSS is hard and requires adherence to a large set of rules, depending on the complexity of your application.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. For example, a page that uploads and displays images could allow images from anywhere, but restrict a form action to a specific endpoint.

Alternatively, the element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">

Specifying a Content Security Policy

You can use the Content-Security-Policy HTTP header to specify your policy, like this:

Content-Security-Policy: policy

The policy is a string containing the policy directives describing your Content Security Policy. A policy is described using a series of policy directives, each of which describes the policy for a certain resource type or policy area. Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own. A policy needs to include a default-src or script-src directive to prevent inline scripts from running, as well as blocking the use of eval(). A policy needs to include a default-src or style-src directive to restrict inline styles from being applied from a <style> element or a style attribute.

Directives

Apart from default-src, script-src, and style-src, other directives exist. A partial list is given below. For a full overview of all directives, . Note that some directives prevent against other attacks than XSS alone.

connect-src

Restricts the URLs which can be loaded using script interfaces

default-src

Serves as a fallback for the other fetch directives.

font-src

Specifies valid sources for fonts loaded using @font-face.

frame-src

Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

img-src

Specifies valid sources of images and favicons.

media-src

Specifies valid sources for loading media using the <audio> , <video> and <track> elements.

script-src

Specifies valid sources for JavaScript. Two more fine-grained directives exist:

  • script-src-elem: Specifies valid sources for JavaScript <script> elements.

  • script-src-attr: Specifies valid sources for JavaScript inline event handlers.

style-src

Specifies valid sources for stylesheets. Two more fine-grained directives exist:

  • style-src-elem: Specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet".

  • style-src-attr: Specifies valid sources for inline styles applied to individual DOM elements.

form-action

Restricts the URLs which can be used as the target of a form submissions from a given context.

frame-ancestors

Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

navigate-to

Restricts the URLs to which a document can initiate navigation by any means, including <form> (if form-action is not specified), <a>, window.location, window.open, etc.

Values

Each directive can have one or more values. For example, let's consider the following CSP:

Content-Security-Policy: default-src 'self'; script-src https://code.jquery.com https://google-analytics.com 'sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=';

This policy says that only scripts from https://code.jquery.com or https://google-analytics.com are allowed, or a script that has FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8= as its SHA-256 digest. This digest can be calculated over inline scripts or referenced scripts.

Typical values are the following:

  • *: wildcard, allows any URL

  • none: prevents loading resources from any source.

  • self: allows loading resources from the same origin (same scheme, host and port).

  • data:: allows loading resources via the data scheme (eg Base64 encoded images).

  • domain.example.com: allows loading resources from the specified domain name.

  • *.example.com: allows loading resources from any subdomain under example.com.

  • https://cdn.com: allows loading resources only over HTTPS matching the given domain.

  • https:: allows loading resources only over HTTPS on any domain.

  • unsafe-inline: allows use of inline source elements. This is ignored when hashes are used.

  • unsafe-eval: allows unsafe dynamic code evaluation such as JavaScript eval()

  • nonce-: allows script or style tag to execute if the nonce attribute value matches the header value. Example: <script nonce="2726c7f26c">alert("hello");</script>

  • sha256-XXX: allow a specific script or style to execute if it matches the hash. Example: sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=

  • strict-dynamic: propagate trust to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored.

Source attribution

Some parts of this page are based on by Mozilla Contributors, which is licensed under .

see the Mozilla documentation
Content Security Policy (CSP)
CC-BY-SA 2.5