Content Security Policy

from Wikipedia, the free encyclopedia

Content Security Policy ( CSP ) is a security concept to prevent cross-site scripting and other attacks by smuggling data into websites. It is a W3C recommendation for web application security.

CSP was originally designed by the Mozilla Foundation and experimentally supported for the first time in Firefox 4.0.

status

The official name of the HTTP header field is Content-Security-Policy. Mozilla Firefox supports this from version 23. Google Chrome from version 25. Internet Explorer 10 and 11 support CSP via the header X-Content-Security-Policy.

W3C is currently working on version 3.

Problem of the classic security concept

Web pages can contain active content, for example in the form of JavaScript code. When the web browsers execute this code, they enforce compliance with the same-origin policy . This means that code from one source cannot access content from another source. For example, the code in an attacker's website must not access the elements of an online banking website.

In practice, however, cross-site scripting vulnerabilities are very common, which cancels out the same-origin policy. A cross-site scripting vulnerability arises when a website is masked by incorrectly masking code. From the browser's point of view, this subordinated code comes from the same source as the attacked website.

Working method

concept

The cause of cross-site scripting weaknesses lies in the incorrect dynamic generation of content in web applications. The Content Security Policy therefore enforces a strict separation between content data in HTML code and external files with JavaScript code. Usually the JavaScript code is static and is not generated dynamically.

Prohibited constructs and alternatives

The separation between code and data is achieved as follows:

JavaScript blocks
the form
<script> [code] </script>

must be moved to external files in a trusted domain:

<script src="externalfile.js"></script>
setTimeout () and setInterval ()
may no longer be called in the variant that contains the code in a character string:
window.setTimeout("[code]", 100);

Instead, a reference to a callback must be passed:

window.setTimeout(function () { [code] }, 100);
eval ()
should be avoided whenever possible. Modern browsers offer the functions for parsing data in JSON format

JSON.parse(jsonString)

on. unsafe-evalCalling up can be eval()explicitly permitted via the policy rule “ ” , which, however, limits the protective function of CSP.

Event handler attributes
such as onclickin
<a id="historyback" onclick="history.back()"></a>

must be replaced by event listeners added by external code. The example can be implemented in JavaScript like this:

document.getElementById("historyback").addEventListener("click", function () { history.back(); });

The aelement is historybackaddressed via its ID “ ” and an event listener for the clickevent is added.

Evaluation, reporting

In order to check the effects of activating the CSP for a web application without enforcing the CSP itself, the W3C draft provides a way of report-urilogging violations of the CSP via the URL specified. For this, the report-only mode must be Content-Security-Policy-Report-Onlyused with the header.

This reporting is problematic, however, as security researchers have already shown how these reports can be intentionally sent incorrectly and thus draw the administrators' attention to the wrong place during an attack. This behavior cannot be easily rectified because the report is sent from the browser and not from the server.

Web links

Individual evidence

  1. Sid Stamm: Security / CSP / Spec - MozillaWiki. Background. In: wiki.mozilla.org. March 11, 2009, accessed on June 29, 2011 (English): "Content Security Policy is intended to help web designers or server administrators specify how content interacts on their web sites. It helps mitigate and detect types of attacks such as XSS and data injection. "
  2. ^ Content Security Policy Level 2. Status of this document. July 21, 2015, accessed December 1, 2015 .
  3. imelven@mozilla.com: Content Security Policy 1.0 Lands In Firefox. June 11, 2013, accessed December 1, 2015 .
  4. Chrome 25 Beta: Content Security Policy and Shadow DOM. Google, January 14, 2013, accessed April 2, 2013 .
  5. Content Security Policy Level 3 , editor's draft August 4, 2017, accessed August 16, 2017.
  6. Alexis Deveria: Native JSON. Retrieved August 14, 2017 .
  7. The reporting function of the Content Security Policy (CSP) . Article dated August 30, 2011, accessed August 14, 2017.
  8. ^ The Content-Security-Policy-Report-Only HTTP Response Header Field
  9. Flaring The Blue Team - When You Confuse Them You Lose Them. November 4, 2018, accessed December 27, 2019 .