What is the Content Security Policy (CSP)? – and, Why Haven’t You Applied it Yet?

Joel Weinberger

Tue, 30th September 2014

Learning Objectives:

Joel will explain:

  • Learn why the Content Security Policy (CSP) is an exciting new Web browser feature to harden the security of your web applications.
  • Learn how CSP can help you stop cross-site scripting attacks in their tracks in the browser, before it damages your site or your users.
  • See how you can apply in to your web application today in only a few simple steps and start seeing and preventing attacks in the wild immediately.


Resources and materials:

Questions and answers

Max, Concise Courses:

The script source JavaScript that you mentioned – you said that it was effective – how effective is it – like will it stop say 90% of XSS attacks?

Joel Weinberger:
It will stop any basic XSS attack that is trying to inject a script tag on to your page or is trying to inject a script source on to your page: it will stop 100% of those – the browser will simply not let them execute. Now there are some things that can go wrong, so for example, if you were to specify in your white list of allowed sources, an excessively long list – say evil dot com is allowed and it turns out [that that is a bad site] then evil dot com could still inject a script. You therefore have to be careful in developing your policy but it is usually pretty straightforward.

Like I said, I sort of whitewashed over it, but there is a complex set of attack vectors called ‘DOM XSS’ – CSP would not protect against them per se, and the basic idea is that JavaScript takes content that has been put into your page and then somehow uses that to make decisions about the actual execution of the page there is nothing per se in CSP that will prevent that, but that is a much more complicated type of attack vector and I think it is really important to get rid of this long hanging fruit first which is the much more common type of XSS.

Max, Concise Courses:

Am I correct is thinking that CSP is a chrome extension AND a web app security feature (i.e. hardcoded JavaScript embedded links that stop XSS)? Great presentation by the way!

Joel Weinberger:
The answer is No, CSP is not a Chrome Extension. The answer is that CSP is built into the web browser and built into the render and it is a fundamental part of Chrome, and Firefox also has it today and IE also announced that they are building it into their browser, and I believe Safari is also working on it. CSP is [therefore] a web standard that has been standardized by the W3C and is going to be in browsers across the board and is definitely not just going to be Chrome specific.

There may be a slight confusion in that we do use CSP inside of Chrome Extensions and Chrome Apps, and we do require that developers that are building extensions have a CSP to make their extensions and Apps harder to hack.

CSP is not hard coded in that it is in your HTTP headers so you can actually modify them ‘on the fly’ from your web server and you send them across when you send your web page across so it is dynamic and can be modified over time.

Max, Concise Courses:

Can you guys share your slides? [SEE ABOVE]

Joel Weinberger:
We will try to get that happening yes.

Max, Concise Courses:

Can XSS attacks mature overtime or has the arms race come to a standpoint?

Joel Weinberger:
I keep mentioning this ‘DOM XSS’ thing and I think that once the world applies CSP to all their websites which I am relying on you guys to do. Once that happens I am expecting to see more sophisticated attacks that do involve DOM XSS. That having been said, my biggest concern is beyond XSS. There have actually been some very good academic papers discussing what happens afterwards, i.e. let’s assume that we have solved XSS, what is next? And in turns out that there is still lots of interesting things attackers [Black Hat] can do so don’t worry, hackers will have lots of way to attack your website on but we can start worrying on how to prevent those once we have prevented the XSS problem.

The next steps of attacks are more complicated. Hackers are always really smart and they can always build more complex attacks but we [White Hat Cyber Security Community] are doing well – we can always make things harder for them, and by making things harder for them we are going to see fewer attacks.

Max, Concise Courses:

Are you planning to include CSP JavaScript in boilerplate and popular CSS frameworks like bootstrap?

Joel Weinberger:
That is a great question. Unfortunately that is something that I am not a part of personally. I certainly do a lot of evangelizing and trying to get stuff like that happening. I have done a far amount of work talking to a lot of different frameworks to try and encourage them to make their frameworks much more content security policy friendly; on the other hand if you guys have any connections for me, i.e. people you want me to talk to, I would love to evangelize to frameworks and help to convince them that CSP is the way and that they should be encouraging Content Security Policy.

I think the good news is that lots of major websites are starting to take up the Content Security Policy banner, notably a lot of Google sites, Facebook, Twitter is making a strong effort to implement CSP and a bunch of these other guys and once we start to see the ball rolling with these big sites I think we are going to start seeing a lot more frameworks start supporting it because of course all the frameworks are often used by the big guys and I think that is the way to go.