I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP
What Is It Why How Does It Work What Browsers Support It How To Use It Default CSP Restrictions CSP Policy Directives CSP Violation Reports Examples How To Test Unintended Consequences Resources
Mozilla’s Content Security Policy is a proposed standard providing a contract between web pages and browsers to control the locations from which browsers will load content Declarative in nature and provides a fine granularity of content inclusion control Designed to be backwards compatible so as not to break browsers that don’t support it Provides reporting of violations to the appropriate issuing domains
Motivated by the endless parade of cross site scripting and “clickjacking” exploits that have arisen over the last decade Designed to mitigate: Cross Site Scripting exploits (XSS) “Clickjacking” Packet sniffing attacks (specifically by eliminating inadvertent use of unencrypted data transmission protocols)
Prevents XSS and “Clickjacking” by controlling the domains from which Javascript can be loaded, blocking the ability for exploits to force the loading of malicious Javascript (Think whitelist versus blacklist) It also prevents link injection Reduces packet sniffing exposure by forcing content to be exchanged only via HTTPS
At present, only FireFox 4 and up support CSP It’s rather hard to glean this information from googling and what not, but there’s a great test page (link at end of presentation) and the following tip versions were verified as failing as of 02 May 2012: Google Chrome Mac Safari Opera Microsoft IE (won’t even run the JS test…)
Understand the default restrictions browsers honoring CSP will enact for CSP enabled web pages Understand how multiple policies are interpreted by the browser 3 basic parts to implementing a CSP: Policy Delivery Policy Directives Violation Reports
No inline Javascript - all Javascript must be in external files No Javascript URLs - use of “javascript: …” is forbidden Element event handling attributes are disabled - use element.addEventListener() instead eval() is disabled - setTimeout() and setInterval() must be called with functions only - no setInterval(“location=‘yourehacked.org’", 10000) The Function() constructor is disabled - use the function operator or function statement data: URIs are disabled except for images - may be overridden in the X-Content-Security-Policy header XBL binding must use the chrome: or resource: URI specifier policy-uri and report-uri must refer to the issuing domain’s host
CSP follows a policy of “least privilege” which means that when multiple policies are present in the content being loaded by the browser, the browser will enforce the most restrictive intersection of the policies received All policies must allow an action to be taken for it to be executed The following issue is being debated: “What should happen when multiple instances of the same directive but with different values occur within a single policy header or meta element, i.e. should they be combined or intersected as they are successively parsed?”
Browsers are informed of a CSP by one of two methods: X-Content-Security-Policy Response Header Specifying policy in the header is preferred over the meta element means and takes precedence when both are specified HTML Element The header entry or meta element contains the policy directives for the issuing page
Policy directives provide for fine-grained content inclusions rules: – frame-ancestors – report-uri – policy-uri – options – script-nonce (proposed) – sandbox (proposed) – default-src – script-src – object-src – img-src – media-src – style-src – frame-src – font-src – xhr-src
default-src Specifies the default safe source domains for all types except frame-ancestors and where not otherwise declared script-src Specifies the safe domains for script element “src” attributes object-src Specifies the safe domains for object element “data” attributes, embed element “src” attributes, and applet element “code”/”archive” attributes
img-src Specifies the safe domains for img element “src” attributes, CSS property “url()” and “image()” values, and the “href” value of or elements media-src Specifies the safe domains for media and audio element “src” attributes style-src Specifies the safe domains for the “href” value of element or directives
frame-src Specifies the safe domains for iframe element “src” attributes font-src Specifies the safe domains CSS rule “src” attributes xhr-src Specifies the safe domains XMLHttpRequest objects are able to communicate with (this appears to be a relaxation of the same origin policy currently honored by XMLHttpRequest objects)
frame-ancestors Specifies domains from which content will be able to utilize the, or elements report-uri Specifies the URL for posting the JSON violation report data policy-uri Specifies a URL to load a policy file from and can only be used when no other policy directives are specified using the header or meta element policy delivery mechanism
options Provides a means of relaxing the default CSP restrictions script-nonce (proposed) Provides a means to allow inline Javascript to execute sandbox (proposed) Provides a sandbox policy with the same syntax and semantics as the iframe element “sandbox” attribute defined in HTML5
Limiting content to the issuing domain: X-Content-Security-Policy: default-src 'self' Allowing images from anywhere, plugin content from a list of trusted providers, and scripts from a specific domain: X-Content-Security-Policy: default-src 'self'; img-src *; \ object-src media1.example.com media2.example.com *.cdn.example.com; \ script-src trustedscripts.example.com Globally denying all third-party scripts and disallowing third-party media by using separate headers: X-Content-Security-Policy: default-src *; script-src 'self‘ X-Content-Security-Policy: default-src *; script-src 'self'; media-src 'self' Ensure all content is loaded over TLS: X-Content-Security-Policy: default-src
When using the report-uri directive to specify a delivery URL for violation reports, a code-behind to handle the incoming reports must be implemented Violation reports sent to the delivery URL via an HTTP POST of JSON formatted data The JSON contains the following: request : Specifies the HTTP request of the resource whose policy was violated including method/verb, URI and HTTP version request-headers : Specifies the HTTP request headers sent with the request for the protected resource whose policy was violated blocked-uri : Specifies the URI of the resource that was prevented from loading due to the policy violation violated-directive : Specifies which policy directive that was violated original-policy : Specifies the original policies as received by the user-agent and comma separating them if multiple were received Be sure to follow secure programming practices when implementing the code behind the report delivery URL
For the policies specified: Inject content that would violate the policies Test in browsers supporting both CSP and not supporting CSP Verify content is not loaded/executed using tracing tools such as Fiddler/Wireshark and client-side debuggers such as FireBug If enforcing HTTPS, verify content is loaded only over secure protocols using a tool such as Wireshark Verify your reporting code is reporting the correct information from the violations (also perform whatever secure coding tests you would for a normal web application) When multiple browsers support CSP, be sure to test policies across supporting browsers
Consider: A page provides a script-src policy to allow the inclusion of Javascript from a 3 rd party who does not issue a CSP and has not been included in your CSP. The 3 rd party’s Javascript includes other Javascript files from the 3 rd party’s domain. At a later date the 3 rd party changes where their included Javascript is being loaded from to a domain not specified in the original CSP. The 3 rd party’s functionality is now broken.
Mozilla’s overview: _Policy _Policy W3C’s unofficial draft: file/tip/csp-specification.dev.html file/tip/csp-specification.dev.html Demo scripts and test page: policy/demo.cgi policy/demo.cgi