Content Security Policy

“Content Security Policy” is a declarative policy that allows the application developers to inform the client about the sources from which the application can load the resources. Content security policy does not help as a first line of defense against code injection attacks, but it can be best used as defense-in-depth to reduce the harm caused by such attacks. To take advantage of this policy, the application developers need to make use of “Content-Security-Policy” HTTP header. Background: Content security policy header was originally developed by Mozilla Foundation. Experimental implementations of this header in various browsers was done by names like X-Webkit-CSP in chrome , X-Content-Security-Policy in browsers like Mozilla, SeaMonkey, etc. “Content-Security-Policy” is the standard header name proposed by the W3C document. Workings of the CSP header: The content-security-policy header is sent in the server response. On encountering this header in the response, the client judges from where or from where not the content should be loaded in that page. This is done by the browser by using the directives and the values present in the CSP response header. CSP header is applicable per page. Hence, it is advised to add this header for every response. CSP directives and their usage: CSP provides a wide range of directives each one specific for a content type. The directives provided by content security policy are as follows: script-src connect-src frame-src Child-src frame-ancestors img-src media-src object-src style-src sandbox default-src Before getting into the directives, let us look at few basic keywords that are used as part of CSP directive values. – * (asterisk) – allow anything – none : matches nothing. – self: matches the current origin, but not its subdomains. – https: allow resources only over HTTPS – unsafe-inline: allows inline JavaScript and CSS – unsafe-eval: allows text-to-JavaScript mechanisms like eval Now, let us look into each of the content security policy directives with related examples – Script –Src: Script-src is a directive that controls a set of script-related privileges for a specific page. It restricts which scripts the protected resource can execute and controls other resources, such as XSLT style sheets, which can cause the user agent to execute the scripts. Grammar: Content-Security-Policy: script-src directive value; A probable example could be as follows – Content – Security – Policy: script-src ‘self’; This type of header would restrict scripts being executed from different domains. Only the scripts that belong to the same domain as the domain of the page will be executed. Similarly, we can have script – src value set to other directive values as follows – -> Content – Security – Policy: script-src www.abc.com; Such a setting would allow scripts to get executed only when they belong to the domain specified. Here in this example, the script belonging to the “abc.com” domain would be executed. -> Content – Security – Policy: script-src ‘unsafe-inline’; This would allow all the inline scripts present on the page to be executed by the browser. -> Content – Security – Policy: script-src ‘unsafe-eval’; With this directive value set, the browser would allow all the eval functions to be executed without any restriction. One can always set multiple directive values to a directive. Example- Content – Security – Policy: script-src ‘self’, https://www.xyz.com; In the above example, we have specified self and xyz.com domain as valid sources of scripts. Therefore, the browser would interpret this and allow execution of scripts to be executed only if they belong to same domain or xyz.com domain. In case there is some script that is interpreted to be from an invalid source according to the browser, the browser would display an error message as follows – Refused to load the script ‘script-uri’ because it violates the following Content Security Policy directive: “CSP directive set by you“. This error message may vary according to the browser. Connect – Src: This directive defines valid sources for fetching the XMLHttpRequest, WebSocket, and EventSource connections. These connections may be to external server to send/receive information, eventSource open HTTP connections to a server for receiving push notifications, WebSockets for communication between and a server, and XMLHttpRequests to make arbitrary HTTP requests on your behalf. The connect-src directive allows you to ensure that these sorts of connections are only opened to origins you trust. In case the connect-src is absent, then the browser looks for default-src or it will take the default value to be * and will fetch all the connections. Grammar: Content – Security – Policy : connect-src directive value; An example could be- Content – Security – Policy: connect-src ‘self’ , www.xyz.com; The above setting of the connect-src directive would allow the connections only from same domain or the xyz.com domain. Frame-src: Frame-src restricts the sources from where a resource can be embedded into the frame. It decides the valid sources of content for nested contexts, web workers. Grammar: Content – Security – Policy: frame-src value; Example: Content – Security – Policy : frame-src www.test.com; This would instruct a browser that the content in a frame can be loaded only from test.com domain. The Frame-src directive is now deprecated and most of the browsers are not implementing it now a days. Instead of this, child –src is being implemented. Child –Src also does the same work as the frame-src directive. The grammar is also same as the frame-src directive. Frame-ancestors: This directive specifies valid parents that may embed a page using the and elements. Grammar: Content – Security – Policy: frame-ancestors value; Example: Content – Security – Policy : frame-ancestors <a href=https://www.test.com>www.test.com</a>; This would instruct the browser that the page can be loaded into a frame only of the parent frame is from test.com domain. Img-src: This directive is used to implement restrictions on sources from where the images can be loaded into the protected resource. Whenever the application tries to retrieve any image and the source from where the image is being retrieved does not match the one specified in the img-src directive, then the browser might throw an error. Grammar: Content – Security – Policy: img-src directive value; Example: Content – Security – Policy: img – src ‘self’, <a href=https://www.test.com>www.test.com</a> By setting this directive as above, it instructs the browser that the images belonging to the same domain as that of the page and images from test.com can also be loaded. Media-src: Similar to the img-src directive, the media-src directive implements restrictions on sources from where the media files like audio or video files can be loaded into the protected resource. Whenever the application tries to retrieve any media apart from the one specified in the media-src directive, and then the browser might throw an error. Grammar: Content – Security – Policy: media-src directive value; Example: Content – Security – Policy: media – src ‘self’, <a href=https://www.test.com>www.test.com</a> This setting would load media only from the self domain or test.com domain. Object-src: The Object -src directive restricts the valid sources from where the protected resource can load data for embedded elements or applets or objects or load any plug-in. Grammar: Content – Security – Policy: object-src directive value; Example: Content – Security – Policy: object-src ‘self’; This would allow plugins to be loaded only from the same domain as the page and also other applet data or object data to be loaded only from the same domain. Style-src: This directive specifies valid sources for including the stylesheets- may it be externally loaded stylesheets or inline use of the HTML style attributes. The Stylesheets, which belong to different source apart from that, are not included in the source list are not requested or loaded. Grammar: Content – Security – Policy: style-src directive value; Example: Content – Security – Policy: style-src <a href=https://www.abc.com>www.abc.com</a>; This would load stylesheets belonging to only abc.com domain. It will not even load the html style attributes specified using style element in the page. In order to include the inline style while using the style-src directive, one has to specify explicitly the ‘unsafe-inline’ value also to the style-src directive as below – Content-Security-Policy: style-src ‘unsafe-inline’, <a href=https://www.test.com>www.test.com</a>; Sandbox: This directive is used to restrict a page’s actions like preventing popups, execution of plugins and scripts, and enforcing a same-origin policy. Grammar: Content-Security- Policy: sandbox value; If the value isn’t specifies then the default value would be “is sandbox allow-scripts allow-forms”. Default-src: This is a default directive and in case any directive not set, then the value of the default-src directive is considered as the value for the unset directive. Thus, this default-src defines loading policy for all the resource types when a resource type dedicated directive is not defined (fallback). This rule applies to the below mentioned directive-child-src connect-src font-src img-src media-src object-src script-src style-src Grammar: Content-security-Policy: default-src value Example: Content-security-Policy: default-src ‘self’; This would be interpreted by the browser as all the loading of scripts, images, media, frame content, objects, style sheets, connections are to be done only with the same domain as that of the page. When the directive for a specified resource is not defined and a default-src is defined, then the default-src value is considered to be the value of the undefined directive. When both default-src and the specific resource type directive are defined, then the specific resource type directive value is considered. Example: Content – security – Policy: script-src ‘self’; default-src ‘self ‘,www.test.com; If it is specified as above, the scripts are loaded only from the same domain as the script-src is specified and all other resources will be loaded from same and as well as test.com domain as the default-src is defined for the undefined directivez. Conclusion: Content –security-policy is one of a great policies when used correctly. The risk with CSP is improper configuration and too permissive policies. So, one has to thoroughly test the application once the CSP directives are implemented and only then go for production. CSP not only provides an ability for web applications to specify what type and from where content can be loaded, but also provides some protection from cross-site scripting and other data injection attacks. However, one should not completely rely on CSP to provide cent percent security; it can be used only as an early warning mechanism for attacks that appear in the wild. Though it is not widely adopted by a majority of the web browser market, CSP can prove a useful layer in protecting web applications and their users. References: 1. <a href=http://www.html5rocks.com/en/tutorials/security/content-security-policy/>http://www.html5rocks.com/en/tutorials/security/content-security-policy/</a> 2. <a href=https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</a></p></div><footer class=post-footer><ul class=post-tags></ul><nav class=paginav><a class=prev href=https://bumblebee.pages.dev/posts/chinese-brands-taking-over-the-smartphone-market-as-sales-flatten1285515/><span class=title>« Prev</span><br><span>Chinese Brands Taking Over The Smartphone Market As Sales Flatten</span></a> <a class=next href=https://bumblebee.pages.dev/posts/coronavirus-prices-are-skyrocketing-online-here-s-how-to-shop-smart1880717/><span class=title>Next »</span><br><span>Coronavirus Prices Are Skyrocketing Online Here S How To Shop Smart</span></a></nav><div class=share-buttons><a target=_blank rel="noopener noreferrer" aria-label="share Content Security Policy on twitter" href="https://twitter.com/intent/tweet/?text=Content%20Security%20Policy%20&url=https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f&hashtags="><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zM195.519 424.544c135.939.0 210.268-112.643 210.268-210.268.0-3.218.0-6.437-.153-9.502 14.406-10.421 26.973-23.448 36.935-38.314-13.18 5.824-27.433 9.809-42.452 11.648 15.326-9.196 26.973-23.602 32.49-40.92-14.252 8.429-30.038 14.56-46.896 17.931-13.487-14.406-32.644-23.295-53.946-23.295-40.767.0-73.87 33.104-73.87 73.87.0 5.824.613 11.494 1.992 16.858-61.456-3.065-115.862-32.49-152.337-77.241-6.284 10.881-9.962 23.601-9.962 37.088.0 25.594 13.027 48.276 32.95 61.456-12.107-.307-23.448-3.678-33.41-9.196v.92c0 35.862 25.441 65.594 59.311 72.49-6.13 1.686-12.72 2.606-19.464 2.606-4.751.0-9.348-.46-13.946-1.38 9.349 29.426 36.628 50.728 68.965 51.341-25.287 19.771-57.164 31.571-91.8 31.571-5.977.0-11.801-.306-17.625-1.073 32.337 21.15 71.264 33.41 112.95 33.41z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Content Security Policy on linkedin" href="https://www.linkedin.com/shareArticle?mini=true&url=https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f&title=Content%20Security%20Policy%20&summary=Content%20Security%20Policy%20&source=https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zM160.461 423.278V197.561h-75.04v225.717h75.04zm270.539.0V293.839c0-69.333-37.018-101.586-86.381-101.586-39.804.0-57.634 21.891-67.617 37.266v-31.958h-75.021c.995 21.181.0 225.717.0 225.717h75.02V297.222c0-6.748.486-13.492 2.474-18.315 5.414-13.475 17.767-27.434 38.494-27.434 27.135.0 38.007 20.707 38.007 51.037v120.768H431zM123.448 88.722C97.774 88.722 81 105.601 81 127.724c0 21.658 16.264 39.002 41.455 39.002h.484c26.165.0 42.452-17.344 42.452-39.002-.485-22.092-16.241-38.954-41.943-39.002z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Content Security Policy on reddit" href="https://reddit.com/submit?url=https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f&title=Content%20Security%20Policy%20"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zM446 265.638c0-22.964-18.616-41.58-41.58-41.58-11.211.0-21.361 4.457-28.841 11.666-28.424-20.508-67.586-33.757-111.204-35.278l18.941-89.121 61.884 13.157c.756 15.734 13.642 28.29 29.56 28.29 16.407.0 29.706-13.299 29.706-29.701.0-16.403-13.299-29.702-29.706-29.702-11.666.0-21.657 6.792-26.515 16.578l-69.105-14.69c-1.922-.418-3.939-.042-5.585 1.036-1.658 1.073-2.811 2.761-3.224 4.686l-21.152 99.438c-44.258 1.228-84.046 14.494-112.837 35.232-7.468-7.164-17.589-11.591-28.757-11.591-22.965.0-41.585 18.616-41.585 41.58.0 16.896 10.095 31.41 24.568 37.918-.639 4.135-.99 8.328-.99 12.576.0 63.977 74.469 115.836 166.33 115.836s166.334-51.859 166.334-115.836c0-4.218-.347-8.387-.977-12.493 14.564-6.47 24.735-21.034 24.735-38.001zM326.526 373.831c-20.27 20.241-59.115 21.816-70.534 21.816-11.428.0-50.277-1.575-70.522-21.82-3.007-3.008-3.007-7.882.0-10.889 3.003-2.999 7.882-3.003 10.885.0 12.777 12.781 40.11 17.317 59.637 17.317 19.522.0 46.86-4.536 59.657-17.321 3.016-2.999 7.886-2.995 10.885.008 3.008 3.011 3.003 7.882-.008 10.889zm-5.23-48.781c-16.373.0-29.701-13.324-29.701-29.698.0-16.381 13.328-29.714 29.701-29.714 16.378.0 29.706 13.333 29.706 29.714.0 16.374-13.328 29.698-29.706 29.698zM160.91 295.348c0-16.381 13.328-29.71 29.714-29.71 16.369.0 29.689 13.329 29.689 29.71.0 16.373-13.32 29.693-29.689 29.693-16.386.0-29.714-13.32-29.714-29.693z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Content Security Policy on facebook" href="https://facebook.com/sharer/sharer.php?u=https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H342.978V319.085h66.6l12.672-82.621h-79.272v-53.617c0-22.603 11.073-44.636 46.58-44.636H425.6v-70.34s-32.71-5.582-63.982-5.582c-65.288.0-107.96 39.569-107.96 111.204v62.971h-72.573v82.621h72.573V512h-191.104c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Content Security Policy on whatsapp" href="https://api.whatsapp.com/send?text=Content%20Security%20Policy%20%20-%20https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zm-58.673 127.703c-33.842-33.881-78.847-52.548-126.798-52.568-98.799.0-179.21 80.405-179.249 179.234-.013 31.593 8.241 62.428 23.927 89.612l-25.429 92.884 95.021-24.925c26.181 14.28 55.659 21.807 85.658 21.816h.074c98.789.0 179.206-80.413 179.247-179.243.018-47.895-18.61-92.93-52.451-126.81zM263.976 403.485h-.06c-26.734-.01-52.954-7.193-75.828-20.767l-5.441-3.229-56.386 14.792 15.05-54.977-3.542-5.637c-14.913-23.72-22.791-51.136-22.779-79.287.033-82.142 66.867-148.971 149.046-148.971 39.793.014 77.199 15.531 105.329 43.692 28.128 28.16 43.609 65.592 43.594 105.4-.034 82.149-66.866 148.983-148.983 148.984zm81.721-111.581c-4.479-2.242-26.499-13.075-30.604-14.571-4.105-1.495-7.091-2.241-10.077 2.241-2.986 4.483-11.569 14.572-14.182 17.562-2.612 2.988-5.225 3.364-9.703 1.12-4.479-2.241-18.91-6.97-36.017-22.23C231.8 264.15 222.81 249.484 220.198 245s-.279-6.908 1.963-9.14c2.016-2.007 4.48-5.232 6.719-7.847 2.24-2.615 2.986-4.484 4.479-7.472 1.493-2.99.747-5.604-.374-7.846-1.119-2.241-10.077-24.288-13.809-33.256-3.635-8.733-7.327-7.55-10.077-7.688-2.609-.13-5.598-.158-8.583-.158-2.986.0-7.839 1.121-11.944 5.604-4.105 4.484-15.675 15.32-15.675 37.364.0 22.046 16.048 43.342 18.287 46.332 2.24 2.99 31.582 48.227 76.511 67.627 10.685 4.615 19.028 7.371 25.533 9.434 10.728 3.41 20.492 2.929 28.209 1.775 8.605-1.285 26.499-10.833 30.231-21.295 3.732-10.464 3.732-19.431 2.612-21.298-1.119-1.869-4.105-2.99-8.583-5.232z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Content Security Policy on telegram" href="https://telegram.me/share/url?text=Content%20Security%20Policy%20&url=https%3a%2f%2fbumblebee.pages.dev%2fposts%2fcontent-security-policy-1991160%2f"><svg viewBox="2 2 28 28" height="30" width="30" fill="currentcolor"><path d="M26.49 29.86H5.5a3.37 3.37.0 01-2.47-1 3.35 3.35.0 01-1-2.47V5.48A3.36 3.36.0 013 3 3.37 3.37.0 015.5 2h21A3.38 3.38.0 0129 3a3.36 3.36.0 011 2.46V26.37a3.35 3.35.0 01-1 2.47 3.38 3.38.0 01-2.51 1.02zm-5.38-6.71a.79.79.0 00.85-.66L24.73 9.24a.55.55.0 00-.18-.46.62.62.0 00-.41-.17q-.08.0-16.53 6.11a.59.59.0 00-.41.59.57.57.0 00.43.52l4 1.24 1.61 4.83a.62.62.0 00.63.43.56.56.0 00.4-.17L16.54 20l4.09 3A.9.9.0 0021.11 23.15zM13.8 20.71l-1.21-4q8.72-5.55 8.78-5.55c.15.0.23.0.23.16a.18.18.0 010 .06s-2.51 2.3-7.52 6.8z"/></svg></a></div></footer></article></main><footer class=footer><span>© 2023 <a href=https://bumblebee.pages.dev/>Bumblebee</a></span></footer><script type=text/javascript src=//normallydemandedalter.com/48/f2/62/48f262e63869c6b4229e3455c07958bc.js></script> <script type=text/javascript>var _Hasync=_Hasync||[];_Hasync.push(["Histats.start","1,4695461,4,0,0,0,00010000"]),_Hasync.push(["Histats.fasi","1"]),_Hasync.push(["Histats.track_hits",""]),function(){var e=document.createElement("script");e.type="text/javascript",e.async=!0,e.src="//s10.histats.com/js15_as.js",(document.getElementsByTagName("head")[0]||document.getElementsByTagName("body")[0]).appendChild(e)}()</script><noscript><a href=/ target=_blank><img src=//sstatic1.histats.com/0.gif?4695461&101 alt border=0></a></noscript><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>